Hello Tim,
When you build a basic authentication header, you need the plain password, the developer can print the password at that moment.
So the problem is on basic authentication.
If the backend service abandon the basic authentication, and accept a private key for authentication, then it will be more secure, as we only need to protect this private key ( same as protecting password for basic authentication). This can be done by setting proper roles to the developer, so that the normal developers can only use the private keys in policies, but cannot access it directly.
(I tested to create a new user for gateway without administrator role and Manage private keys role, when that user access manage private keys window, all the buttons gray out, but the user can select an existing private key for route via https assertion.)
And yes, security against insider is always harder.
Regards,
Mark