Platform engineering is the discipline of designing and building toolchains and workflows that enable self-service capabilities for software engineering organizations in the cloud-native era.

Platform Engineering

If they're really using Vault, then it would read a KMS CMK, and use that for it's own internal encryption.  At that point Vault will have auto unseal, that capability will be gated by cloud resources, and vault's storage will still be encrypted with a separate internal key derived from KMS

at that point, access to Vault is governed by the roles and policies you add to it, so if their folks don't have access, they can't read it (modulo direct access attacks like memory reading)

I'm iffy on what Humanitec is doing (never used it, but have used Vault) so take this with a grain of salt (salt pub intended)