Agreed. At a minimum it would be good to provide a way to protect wireguard credentials at rest, so they aren't just sitting out in the open on disk as a single factor for access to the network. If I had more experience I would love to submit a patch for the default client software, but I don't have much experience, and you don't want inexperienced crypto programming, especially for new features....