It's a basic security hygiene issue that the likes of Google, AWS, Anthropic etc all fail.

Has any Cloud/SaaS-with-a-CLI company made a client that does something better, like Linux kernel keyrings?

ssh will refuse to work if the key is world-readable, but they are not protected from third-party code that is launched with the developer's permissions, unless they are using SELinux or custom ACLs, which is not common practice.