Docker environment variable security
Regardless of where it is stored, it is clearly accessible via "docker inspect". I think it boils down to how secure you want it to be. For example, you can instead have a shared volume with file permissions to restrict access to a password file on disk. Or you could have a socker/ssh/etc to avoid putting the password into a file on disk at all. It just depends on how secure you really want to be.
I do note that if you have say a web server running in a container, I assume if someone breaks out of the web server they can only access what the container can access (and not the host OS where docker is running).