As you can't use the Helm lookup function in ArgoCD, I think you'll have to use a different approach.

You're right about ArgoCD using helm template to render the kubernetes manifests and then applying them in the destination cluster. Mind that running helm template <chart name> --dry-run=server would also work for helm in rendering the manifests and using the lookup function. It's just that lookup doesn't work in ArgoCD (as the referred GH issues in the comments to your post discuss).

You could try to write this logic in a Job, using an image that has kubectl installed (eg. bitnami/kubectl), using a service account with the necessary RBAC configured to get/create/patch... secrets. Then you might also need a similar clean up Job that deletes the secret if the Application gets removed, making use of ArgoCD's resource hooks (https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)

Another possibility, if the above is too much work, and you only care about the secret not being recreated every time it goes out of sync, is why not let ArgoCD ignore the contents of the secret for diffing? Check: https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#application-level-configuration