That only applies to that particular Dev Rig example/backend. Not as a “general rule”.
Most of use when using the dev rig to build our own extensions don’t pass in the secret via -s, or if we do we pass the one in from our own Extension. You’ve been tripped up by an example extension!