I put a lot of effort into ensuring that API keys wouldn't be logged anywhere in my infrastructure (or Google Cloud's either) - I went as far as building a new Datasette plugin just to enable data to be stored and transferred in cookies, since those don't end up in log files:

https://datasette.io/plugins/datasette-cookies-for-magic-par...

Totally understand if you're not willing to trust it though!

The code is all open source, so you're able to try it entirely on infrastructure you control if you want to.