> Lets say someone gets access to the server, they can still read the ENV vars, right?

Correct. Easiest way is to look at `/proc/$pid/environ`. It contains the \0 separated values for that process.