Shouldn't we rather consider a way to configure this similar to how Apache and PostgreSQL do this, to be able to avoid that the passphrase is visible in my.cnf or in "ps" output?

Both Apache and Postgres take the approach to have a setting to define an external process that will provide the actual passphrase, see e.g.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog

or

https://www.postgresql.org/docs/11/runtime-config-connection.html#id-1.6.6.6.4.3.10.1.3

or for a bit more background discussion:

https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/

Yes, I agree, it makes sense. May be not exactly like that, but in general, yes

here's a very first thought. A new my_getopt prefix. It currently recognizes loose-, skip-, enable-, disable-, maximum-, autoset-.

A new prefix could be, like, read-. For example, instead of --long-query-time=1.234 one would be able to do --read-long-query-time=/file/with/the/value or --read-long-query-time=|executable/returning/a/value.

Gave it a try, more or less using the PostgreSQL approach (not supporting the %p placeholder yet though):

https://github.com/hholzgra/mariadb-server/commit/3b1c654dad6bf1d5a90d0c0351c402aff042d707