@bjorn3 but the main problem here is FFI use cases. A C library wrapped via an FFI binding can call fork/exec, in which case it might use the system environment, not the shadow environment.
And if it's implemented in a separate set of parallel APIs like env::remove_var_rust like @RalfJung was suggesting, and the shadow environment becomes the "default" for fork/exec, isn't that a breaking change? That means env::remove_var will no longer modify the environment passed to fork/exec, which means anyone currently relying on it to clear secrets will no longer have their secrets cleared from the environment.
IMO having a mutable shadow environment which can diverge from the system environment is going to make things a lot more confusing.