Thank you.

The intention for the shared items are to be open text. These could be things like shared endpoints, names or configuration, but I would not recommend secure values. For something like that you could have they stored in a Key Vault with System or User Assigned Identity access. This would mean the secrets are stored securely with no user access but the APIM system can access them via policies.

Also no I have not tried the Workspaces yet but I have heard you can replicate this design with them.