No, the user would have login only once to given permission to another component. After which the component can use the tokens read the data whenever it is needed. The component should save these tokens into its own private secure store, definitely not in secrets.yaml otherwise every component would get to access the tokens. Rather than expecting each component do all these extra, it would be better a provide client library that can be used by each component. But I do see your point. The weak links here are the tokens. If the tokens can be read by another component, then other component will get access to the data. Also trying to secure an access token using another access token does sound convoluted and silly. Yeah, I would have to think more on this. 
Auditing one small subsystem should be easier than having to audit every component.
Does HA itself require sensitive information for it to function?