Make the burn engine call SecureZeroMemory as necessary.
Make the burn engine encrypt the values in the BURN_VARIANT struct if the variable is hidden.
In the managed engine, create a new SecureStringVariables property so that the managed BA can pass the contents of a SecureString to the engine without ever putting it into a System.String.
This greatly reduces the window of opportunity of an adversary to get the unencrypted value, but it doesn't eliminate it. For example, if the engine's process is forcibly killed then it won't be able to make sure that the memory was zeroed out.