Secrets are an exclusive swarm feature. The only thing secret about them are that they are encrypted in the raft logs used to replicate state in the cluster control plane. It provides the secret to the swarm nodes so they can deploy swarm service with secrets, without having to have the file content somewhere on the node.

On a docker engine with disabled swarm mode, secrets (and configs) can not even be created or managed in general. With docker compose deployments, it is possible to use secrets declared in the same compose file, but it was never able to access an external created secret. This makes it in no way more secure than binding a file in read-only mode.

Swarm services always supported a subset of plain docker containers features. Host specific low level configuration items were never implemented for swarm service tasks. Back then, when we had a v2 and v3 compose file reference, it was easier to spot which features are supported by swarm stack or compose project deployments.