I wanted to add an addendum to this. So in Azure DevOps, when working with yaml files, you can use the Azure DevOps pipelines "Library" to load environment variables. When you look at those environment variables, in the Azure DevOps pipeline library, there is a way to "lock" the variable so that it is not plain-text (and thus masked by asterisks so that no one else with access to the library can see it).
Where is this going? So it turns out (and this is all Azure DevOps pipelines thus far we are talking about) that when a pipeline library variable is masked, it can only be used in the yaml file "on-the-fly"...meaning you cannot assign the environment variable to another local yaml file variable, such as "mytempvar=$(library_masked_variable)"...
That will not work as "$mytempvar" will just be encrypted and unuseable.
I think the same thing is going on with secrets that are pulled from a Databricks secret scope and used inside Azure DevOps pipeline yaml files. This might have more to do with Azure DevOps and the way it processes bash scripting in yaml files than it does with anything about Azure Databricks secret scopes and the REST API.
Hope that helps.