Kubernetes Secrets are base64-encoded, not encrypted by default. Proper Secrets management requires encryption at rest, external secret stores, and strict RBAC controls.