Obviously if your app is compromised all its secrets are too. Hopefully one doesn’t pull the entire secrets backend to a single app and has audit logs to assess the actual impact and what else needs to be rotated. Also Vault is not just about kv secrets, there’s also pki, ssh and more