I intend to use Duplicati on MacOS via command line but realized that passwords will be exposed during backups
Exposed to who? There’s not much macOS expertise around, but most systems provide access limits. Sometimes this means that one must be an administrator to go snooping. Current user already knows.
Which password are you most worried about? Some allow other means (but are they any better?) e.g.:
--passphrase (Password): Passphrase used to encrypt backups
Supply a passphrase that Duplicati will use to encrypt the backup volumes,
making them unreadable without the passphrase. This variable can also be
supplied through the environment variable PASSPHRASE.
A more general solution, somewhat similar to what Server/TrayIcon provides, and it only works on CLI:
--parameters-file (Path): Path to a file with parameters
This option can be used to store some or all of the options given to the
commandline client. The file must be a plain text file, UTF-8 encoding is
preferred. Each line in the file should be of the format --option=value.
The special options --source and --target can be used to override the
localpath and the remote destination uri, respectively. The options in
this file take precedence over the options provided on the commandline.
You cannot specify filters in both the file and on the commandline.
Instead, you can use the special --replace-filter, --append-filter, or
--prepend-filter options to specify filters inside the parameter file.
Each filter must be prefixed with either a + or a -, and multiple filters
must be joined with ;
* aliases: --parameter-file, --parameterfile
but then you have to protect the file (against who?). You can also push settings from run-script-before.
Example Scripts covers this. Using stdout into Duplicati is private, and how to get secret is up to you.
As you posted this in Developer category, were you considering creating something more than those?