That's not a reasonable argument. The problem is pushing confidential info into a repository. It matters nothing what the branch you push it is called.
> FWIW - we run secret detection in our trunk check precommit action - so we make sure that secrets are never committed into local or remote branches.
Irrelevant. You're describing a failsafe. It's like claiming that you don't need to care about speed limits because a road has guardrails. The whole process is broken if it fails to address the main reason confidential info can be pushed into repositories.
That's not a reasonable argument. The problem is pushing confidential info into a repository. It matters nothing what the branch you push it is called.