I administrate multiple home assistant servers via VS Code Remote. I save the API key and server address on the remote host (i.e. in config/.vscode/settings.json). VS Code presents the correct configuration to vscode-home-assistant, and I get API access to the correct server.

Now on every startup, the extension migrates the secrets to secret storage, but then fails to delete them from the json file (because it only tries to delete them from Global storage, thankfully for my case!):

I think ideally, API keys stored in the workspace should not be migrated and should have highest importance.
If someone has access to the config folder, then they can access / modify home assistant at will, the API does not need more pretection than the config directory itself.