It sounds confusing but is correct. Passing secret environment variables in a way that protects from someone gaining either RCE or another information disclosure avenue (e.g. a Symfony debug toolbar exposing PHP's $_SERVER) is hard. Using k8s-managed secret files (that are technically done as a Docker bind-mount) helps against unintentional information disclosure avenues, but still are vulnerable against an attacker who has achieved RCE (as they can simply execute a cat /var/run/secrets/...)
It's not correct because he states "That’s why it’s best to use secrets as files", this is event worse than store in on ENV because in this case you just need read access to the file system instead of needing code execution, if you have RCE with the same privilege level of the application you will have access to the secret anyway.