Nix will - sadly - expose any direct text passed in your nix files. To circumvent this for sensitive data, secret managing schemes can be used.

services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/porkbun@v0.3.1" ];
      hash = "sha256-YZ4Bq0hfOJpa0C2lKipEY4fqwzJbEFM7ci5ys9S3uAo=";
    };
    globalConfig = ''
        acme_dns porkbun {
            api_key {$CADDY_API_KEY}
            api_secret_key {$CADDY_API_SECRET_KEY}
        }
    '';
    virtualHosts = {
        "example.com".extraConfig = ''
          reverse_proxy 127.0.0.1:5000
        '';
    };
};
systemd.services.caddy.serviceConfig.EnvironmentFile = ["/path/to/.env.caddy"];

# /path/to/.env.caddy
CADDY_API_KEY=YOUR_KEY
CADDY_API_SECRET_KEY=YOUR_OTHER_KEY