So one of the main reasons we see customers choose hybrid over serverless is that it provides much stronger security gaurentees. Mainly it can be boiled down to: With serverless you are ok with Dagster Cloud having access to the entire lifecycle of your application. With hybrid the execution of your jobs can be isolated from Dagster cloud entirely.
In terms of secrets, Dagster Cloud encrypts anything you provide but you are accepting the risk that we might make some blunder (we use KMS for encryption). If you're more confident in your own internal process then hybrid secrets backed by Secrets Manager can be more secure.