Many cloud compute providers are adding support for OIDC for supporting cross-vendor workloads and I'd love to see CircleCI join in. OIDC enables federation of credentials/identity from one provider to another. Rather than require that a user supply static credentials, OIDC allows them to exchange a short-lived credential injected by the platform with the remote service. That credential embeds information about the identity of a workload. In git, that identity information might include the organization/repo name and the branch/ref.
This makes it easy to author fine grained access policies for specific repos and ensures that long-lived credentials aren't exposed to CI workloads.
OIDC is supported by GitHub Actions and GitLab CI/CD:
OIDC addresses underlying security issues directly (long lived credentials, potentially shared via contexts). IP ranges introduce an additional layer of security (network perimeter) to help make those weaknesses harder to exploit without actually fixing them.