Visibility of custom environment variables in public project

Simple question: am I correct in assuming that custom environment variables are only visible to project maintainers and owners?

I would guess this concerns the manage variables action under project member permissions in the following document:

I understand that their contents might also be visible to non-maintainers by logging them in job console output… but I guess you can avoid that “leak” by disabling public pipelines and by marking the respective environment variables as masked.

Are there any other ways my variables (e.g. keys to deploy infrastructure) might be leaked that I am unaware of, other steps that I should take to protect them,… ?

Thanks for some insight!