The default secrets provider uses the Pulumi service - and thus you must be logged in to the Pulumi service to add encrypted secrets. But you can use another secrets provider if you want (with different credentials) - like KMS, Vault, etc.
See: https://www.pulumi.com/docs/intro/concepts/config/#configuring-secrets-encryption