That's true, lack of sandboxing (and the fact that all apps run as nemo, if not as root) makes it hard (if not impossible, I'm not security expert) to prevent a malicious application from finding out the secrets - at least without having the user to provide a passphrase to allow Sonar to read it's security config, and even then they might be able to spy IPC.
My idea was, that having key-based authentication would add another layer of security. Then again, I don't really know if it is easy or hard to fake the process command line on SFOS (or Linux in general - probably easy with root privs but how about with normal user privs?).

But you might be right, in the current situation what you've implemented might be as good as it gets without.

Anyway, I installed Sonar and the matching version of Situations over the weekend and I'm soon to find out how things work with them.