Is there a way to limit access to a secret to a specific action?

The idea is to ensure that a certain secret is only used in a specific way, which a speicifc custom action can guarantee.

However, I cannot find a way to pass a secret to an action unless the secret is visible to the entire repo. Am I missing something? Is there some advanced secret-fu that would achieve this? If not, any plans?

A comparable feature would be system credentials in Jenkins: they are not accessible by mere build scripts, only by plugins explicitly installed by the administrator.

You aren’t, actions can’t access secrets unless the workflow explicitly provides them. As far as I’m aware that’s a design decision for security, so 3rd party actions can’t sneakily access secrets.