You may also want to check out https://dmno.dev (full disclosure, I am the author)

It is similar to dotenvx in that it supports loading encrypted secrets that are committed to your repo, but it also supports loading sensitive config from other backends (ex: 1Password) and is extremely flexible to compose your config however you need to. It is also designed to share config items across services within a monorepo, provides validation, type-safety, and a lot more.

I haven't done any testing / special integrations with NX yet, but I don't think anything special will be required, and happy to help work through any issues.