Best practice for managing secrets (passwords, private keys) used by Python scripts running as daemons

[Malcolm Greene]

Looking for your suggestions on best practice techniques for managing
secrets used by Python daemon scripts. Use case is Windows scripts
running as NT Services, but interested in Linux options as well.
Here's what we're considering

1. Storing secrets in environment vars
2. Storing secrets in config file only in subfolder with access limited
   to daemon account only3. Using a 3rd party vault product

Thanks