Secrets and Environment Variables can be accessed and used in a similar way, but Secrets are not stored as part of the build configuration on Bitrise.
Making a Secret protected only affects its behavior on the UI - no one can expose its value in the Workflow Editor, the value can only be replaced.
When it comes to the build logs, Secrets (protected or not), appear as
[REDACTED] specifically to avoid anyone accessing sensitive information.
If you expose the Secrets for pull requests, the information will appear in build logs.
To ensure that your Secrets are NOT exposed in your logs, there are several options:
You can create a pull request triggered workflow to launch an additional workflow to handle the deployment part that requires the Secrets.
You can control who has access to the builds on the repo and make sure no one prohibited has access. (In the case of private repositories, this usually isn't a security risk, because people working on the repo often have to have access to this data anyway.)