How to set up TLS for 1Password Connect?

However, I'm still not comfortable with it now also getting access to 1password-credentials.json.

That is understandable.

One final thing you can give a try is the following:
1. Create a directory containing those files (e.g. secrets/)
2. Move the credential and .pem to this directory.
3. sudo chown root secrets/: to make the directory owned by root.
4. sudo chmod 744 secrets/ to only give root execute permission on this directory.
5. sudo chmod 644 secrets/<file> for all files in the secrets/ directory.

This should make the files readable in Docker containers, without granting every user on the system access. Why? Only root has the execute permission on the directory, https://unix.stackexchange.com/a/317446. So only root can read the files. At least on Linux, Docker is run as root and can therefore open the directory and mount the files. Because the files themselves are still readable by all users (the last 4 in step 5), the containers can still read the files after they are mounted, even though they are not running as root.

I have tested this on my Fedora Linux system and there it seems to work. Give it a try on your RasPi to see if it also works on there. You can verify access is denied to regular users by running cat secrets/1password-credentials.json. Note that this will probably not work on macOS or Windows because of the way Docker runs on there.

I will also also record a feature request for some more flexibility in configuring this. If I understand you correctly, having a way to use Docker's user: configuration option would work for you?

Joris