Hi Steffen,
I think your threat model is too strict. Yes, a user with access to debugger (read-only is enough) will be able to put a break point after your programs reads data from secure store and see it. But that's why you restrict access to debugger in production. I can't imagine any technical implementation when a user with sufficient debugging authorization can't recover a key. The only way to solve this is to push this out of ECC. You could do this in PI and hence there won't be need to store secret in ECC (I assume here that we are talking about ECC). but you would have same problem in PI. It would be a bit easier because you usually don't have regular users in PI but these regular users usually don't have access to debugger either. And if you want to protect against malicious developer then you have same problem.
For example ABAP AS uses secure store to store predefined password of SICF services. Again, this is sufficient to prevent users with regular access to retrieve passwords but it does not stop developer with debugger.
Martin