I was about to implement it into a pilot project, but then ran into this while reading the docs:

# New person joins the team:

# 7. Team lead updates fnox.toml with new recipient

# Then re-encrypts all secrets:

fnox set DATABASE_URL "$(fnox get DATABASE_URL)" --provider age # ... repeat for all secrets

It's a bit surprising you have to manually do this, I'd imagine fnox already has knowledge of all the secrets and could do this automatically.