Why don't CD pipelines build with secrets embedded?

I'm working on a large Go project that needs various API keys, we have a action triggered on push that builds the server binary and uploads that to a GCP instance. A systemd service that calls the binary with flags for each of the API keys is also uploaded(though a .env file could also be used functionally the same). I think a lot of CI/CD pipelines do something similar, why not just embed the secrets in the binary itself at that point though? (Through ldflags or sed or something)

There are a few reasons why this isn't common, from my experience. This isn't an exhaustive list, but here are a couple:

1. Separation of Concerns - Embedding secrets in your binary complicates key management and environment configuration. Ex: if you need to rotate a key, you’d have to rebuild and redeploy the binary. Similarly, managing different environments (dev/stg/prd) becomes difficult, as you'd need separate binaries for each, with their respective secrets embedded. Keeping secrets external allows for easier updates and environment separation without touching your app code.
2. Security Risks - If someone gains access to your binary, they can potentially use it to interact with your systems directly, without needing to hunt for or extract the embedded secrets.