Running via CLI will expose the passwords

I intend to use Duplicati on MacOS via command line but realized that passwords will be exposed during backups

Exposed to who? There’s not much macOS expertise around, but most systems provide access limits. Sometimes this means that one must be an administrator to go snooping. Current user already knows.

Which password are you most worried about? Some allow other means (but are they any better?) e.g.:

  --passphrase (Password): Passphrase used to encrypt backups
    Supply a passphrase that Duplicati will use to encrypt the backup volumes,
    making them unreadable without the passphrase. This variable can also be
    supplied through the environment variable PASSPHRASE.

A more general solution, somewhat similar to what Server/TrayIcon provides, and it only works on CLI:

  --parameters-file (Path): Path to a file with parameters
    This option can be used to store some or all of the options given to the
    commandline client. The file must be a plain text file, UTF-8 encoding is
    preferred. Each line in the file should be of the format --option=value.
    The special options --source and --target can be used to override the
    localpath and the remote destination uri, respectively. The options in
    this file take precedence over the options provided on the commandline.
    You cannot specify filters in both the file and on the commandline.
    Instead, you can use the special --replace-filter, --append-filter, or
    --prepend-filter options to specify filters inside the parameter file.
    Each filter must be prefixed with either a + or a -, and multiple filters
    must be joined with ;
    * aliases: --parameter-file, --parameterfile

but then you have to protect the file (against who?). You can also push settings from run-script-before.
Example Scripts covers this. Using stdout into Duplicati is private, and how to get secret is up to you.

As you posted this in Developer category, were you considering creating something more than those?