Not the author but No, the decryption would ask the secret again? The readme mentions it's wiped from memory after use.

Jenkins CI has a clever feature where every password it injects will be redacted if printed to stdout; `enveil run` could do that with the wrapped process?

Of course that's only a defense against accidents. Nothing prevents encoding base64 or piping to disk.