Is there a way to limit access to a secret to a specific action?

The idea is to ensure that a certain secret is only used in a specific way, which a speicifc custom action can guarantee.

However, I cannot find a way to pass a secret to an action unless the secret is visible to the entire repo. Am I missing something? Is there some advanced secret-fu that would achieve this? If not, any plans?

A comparable feature would be system credentials in Jenkins: they are not accessible by mere build scripts, only by plugins explicitly installed by the administrator.