Vault agent uses consul-template for rendering the secrets.
It’s possible to create a PUT/POST request instead of a GET. See the relevant documentation here.
Additionally, you can set the Vault agent annotation vault.hashicorp.com/agent-inject-token value to true to make the agent write its token to /vault/secrets/token, which your Pod can use to run any other vault commands it may need (depending on the policy assigned to the token by the authenticating role).
Lastly, there are other agents that offer first-class support for on-the-fly transit encryption/decryption.