pull_request_target is more secure than pull_request, which is why it gets access to secrets. There's nothing "fundamentally insecure" about it.

Can you elaborate on this?