Your correct that when running Certify the service uses the Local System account, which doesn’t have the same access to encrypted data. Generally if this is using the Windows Data Protection APIs you get the choice of User level encryption or machine level. For the Certify Credentials manager (under Settings) we using machine level, so that the decryption is tied to the machine not the user.
It would be technically possible to pass in selected credentials stored in Certify in a decrypted form and access them in PowerShell as part of $result. Obviously once their decrypted anything and happen to them depending on what your script does.
I’ve also briefly looked into offering Azure Vault and Hashicorp Vault as potential credential storage providers (so credentials aren’t kept on the machine) but not really worked on that yet.