Thanks @JonB. I'm looking to cache API keys for Dropbox (see this thread) so "reasonably secure" should probably mean "invisible from access if someone gets access to the device".
The use case / need is to store short-lived authentication tokens used for Dropbox API calls. Although this pattern-matches against the environment variables option, these tokens need to be refreshed fairly frequently. The refresh is relatively painless/automated, but still results in an updated key values that needs to be stored. I suspect an .env file or similar stored somewhere that the Files app can read it directly is probably not a good solution since these keys might allow access to sensitive information,
Encrypting a settings file in iCloud at rest might work but I'm not clear how to do that if the python code that would decrypt the data is also stored in iCloud -- wouldn't that mean someone could just read the Python code and figure out how to decrypt it? I might be missing something here.
I'd prefer something less tied to the Mac ecosystem, but maybe Keychain is the best option to explore?