My god, he never took middle school hygiene. He never saw the propaganda films.
That comes to mind.
What I have seen people do in the past is use ansible secrets to secure the env file.
So only when the playbook is running does the env get decrypted.
Digital Ocean has an extensive how to on it.
https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
I assume you have root login denied in your ssh config, other things would be having fail2ban and some geofencing (blocking IPs from countries you know you are never going to log in from).
Go onnnn.