Is it possible to configure VS Team Services Deployments with different apps and different permissions?

When using Visual Studio Team Services Deployments (VSTSD) you can setup a separate git repository. In order to manage different environments we can use mappings. The issue I see with this approach is that you still have to give the client secrets to someone who put those into Azure Devops variables.

To avoid such a cumbersome manual process I would like to have develop an app that is able to read client secrets. Is it possible to restrict access to only read information (e.g. read client secrets)?