I’m new to drone, sorry if I’m asking a silly question.
It seems to me that anyone can read the secrets that are passed as environment variables, given they manage to guess the variable names. I believe it can be very scary to store ssh keys in envvars if anyone with access to my webui can read them by triggering a build with a maliciously prepared .drone.yml file.
Am I missing something? Should I put my drone webui behind basicauth?
Thanks 
Please take a look at How to prevent secrets from being exposed.
It seems to me that anyone can read the secrets that are passed as environment variables, given they manage to guess the variable names.
The only way for a random user to trigger a build is to send you a pull request. Per the documentation, secrets are not exposed to pull request by default. If a random user tries to send a pull request that exposes a secret they will be unsuccessful even if they know the secret name.
Should I put my drone webui behind basicauth?
Nope, this is not necessary. You could always set the repository visibility to Private in the repository settings screen which limits who can view your repository and its build results, however, practically speaking there are no significant security benefits to doing so.