That’s a common myth and it’s not true for Linux in the last two decades. By default, the file /proc/<pid>/environ can only be read by the user the process belongs to. Here’s a bit of background: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009
If you don’t want to use environment variables, then use the shell to run a program which prints the password to stdout, and the shell will take care that restic can read this from a (simulated) file:
$ restic --repo /srv/data/repo --password-file <(gpg --decrypt restic-password.gpg) backup /home
In this case, the password can only be read once (by restic) and won’t be contained in the process’ environment variables.
I think the gnome keyring thing has a CLI program which allows printing passwords to stdout, you can use it with restic this way.
While I in general like the idea of collecting user contributions somewhere, at the risk of sounding very negative: I’d like to keep that out of the repositories in the restic org.
The question here is: who maintains these scripts? I think we should concentrate on improving restic itself, adding important features (prune, compression, config file) over time. So the contributed scripts should live somewhere else, so users don’t get the impression that we maintain them.
How about adding a section to the manual where we collect links to repos of other people? This way, it’s clear that we (as a project) are not responsible for maintaining the scripts.