If you are not sharing your workspace or environment, you are no exposing your API key.
But as @devies-daniel correctly said, if your workspace is public, this is not a good approach. In my original reply, I was trying to explain why it does not work as it is.
A more secure option would be to inject these values directly to newman, using --env-var
--env-var "<environment-variable-name>=<environment-variable-value>"