Yes, this. Just supply a few flags to configure terraform backend to store the state in remote storage and encrypt it.

terraform init --backend=gcs --bucket="xxx" --prefix="my-deployment-name" --encryption_key="my-random-bits"

Again, that just puts a bandaid over the problem. You can’t individual audit access to or rotate secrets stored state files.