Following up on my pinentry issue— In the end I used a work-around. I decrypted the sensitive file on an off-line OpenBSD machine onto a mounted USB flash drive, then mounted the drive to the Guix machine, did what I needed to do with the file, shredded any copy of the file and finally removed the USB drive and destroyed it with a hammer.
—Marco