I'd like contributors to be able to encrypt new variables for a target environment without the ability to decrypt other variables.

For example, let's say we want to update the variable BIG_SECRET in production. Today, it seems the contributor would need the DOTENV_KEY_PRODUCTION key from .env.keys and the DOTENV_VAULT_PRODUCTION variable from .env.vault. Because all the secrets are encrypted together, it seems a contributor would be able to read all the variables when given access to the key. It follows that a contributor can't add only BIG_SECRET to the vault without access to everything in production.

Is my understanding correct?