hi,
a simple problem with a complex answer.
here is what i do on windows, but you can generalize it for macos
i have a python script, 350 lines of code, named cloner, to handle all my backup needs, including rclone, fastcopy and 7zip.
that script has my own encryption / decryption algorithm, combination of rot and xor and some secret sauce.
i use that python script to encrypt the rclone password and store it the windows registry, well hidden.
when cloner runs, it reads the crypted password, decrypts it and copies it to another location inside the windows registry.
given that python code is plain text, somebody could get my encryption algorithm, get the crypted password from the registry and then decrypt the password.
but i compile that code into a .exe and feed it to upx which compresses and scrambles the .exe
then cloner runs a .cmd batch file, which reads the password from registry and set the variable RCLONE_CONFIG_PASS, deletes the password from the registry and runs rclone.
i use cloner on a bunch of servers and desktops.
now you might say that somebody, on the personal computer, could modify that plain text batch file and thus obtain the rclone password.
but that batch script and all other scripts are themselves encrypted.
cloner, will on the fly, decrypt the batch file, copy it to a temp folder with random folder name and file name and execute that script, and then delete that script.
i use task scheduler to run cloner under a different username on a schedule.
that registry can only be accessed by that username.
the folder containing all the scripts can only be accessed by that username
the temp folder is also locked down to that username.
there is more to it but that is the gist of it.