OK, I finally solved this, albeit a bit differently... by switching to
nullmailer.

The TL/DR summary is: use the right tool for the job.  Some more details follow
below.

Nullmailer was very easy to set up (the deceptively short HOWTO is pretty much
all that is needed).  The only problem is that there is no way to rewrite the
envelope sender, which is required by my email provider.  I solved that...
creatively. *However* the master branch contains a change that introduces the
"allmailfrom" control file [0], so once version 1.14 is out I can remove the
hack.

This choice came about because I switched from fcron to systemd-cron, which
runs its mail_on_failure script as user "nobody", which caused my current
"passwordeval" command ("cat somefile", somefile having a mode mask of 0600) to
fail due to insufficient access rights.  I really didn't want to deal with how
to properly solve that, and I don't think it's possible (at least not with
msmtp).  I mean, the problem statement is basically "How do I securely give
every user access to the password?".  Once stated that way, I think the
difficulty with the problem becomes fairly obvious.

With nullmailer the remotes file is 0640, with group nullmailer, so only root
or nullmailer can access it.  It's also simple enough that I simply didn't add
it to git.  So the password is in plain text, but access is strictly limited.

But really, I *should* have been tipped off by the package description:  "An
SMTP client and SMTP plugin for mail user agents such as Mutt".  The above
problem simply doesn't exist when running msmtp as a normal user (in which case
you probably don't even have an /etc/msmtprc).

[0]
https://github.com/bruceg/nullmailer/commit/da55b71b6136bcefc7aa784a7f9fd45987670a7a
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup