Prevent Data Connection editor from accessing secrets

Is there a way to let someone add syncs to a Data Connection source without giving them read access to all the source secrets?

Specifically, it seems like Data Connection won’t let me copy and paste source secrets out of the source directly, but I can turn on code import and then pull the secrets out in a code repo.

Asking because I’d like to let power users add new syncs to a Data Connection source without letting them access the (unfortunately extremely powerful) API key we’re using.

I think you’d just grant users edit permissions to the source, but not owner, and make sure code imports are disabled for that source.

magritte:source-imports:manage-source-usage-restrictions is the operation that controls whether or not a source can be imported into code, and that is granted only to the owner role by default. Editor should be sufficient to set up a sync via the point and click UI.

(credit to @aczarnecki for this answer)