Restrict key file access to allow keepassxc executable only

I would like to be able to secure a KDBX _key file_ in my $HOME, so that nobody except keepassxc (and root) can access it, __excluding even myself__. My only approach is to use the setgid bit on the executable/s and give the key file corresponding group membership but unfortunately, keepassxc's GUI is a GTK+ application, that does not like setuid or setgid bits and terminates itself, when detected. To setup a test environment with a dummy KDBX vault and a key file:

sudo addgroup keepassxc

sudo chgrp keepassxc $(which -P keepassxc)
sudo chmod g+s $(which -P keepassxc)

# to revert back afterwards:
# sudo delgroup keepassxc
# sudo chgrp root $(which -P keepassxc)
# sudo chmod g-s $(which -P keepassxc)

# create test files
keepassxc-cli db-create -p -k key.file test.kdbx
chmod -rwx,g+r key.file
sudo chown root:keepassxc key.file

# access test
keepassxc --keyfile key.file test.kdbx # should succeed
sha256sum key.file                     # should fail

but, like i said, the keepassxc GUI terminates with

Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.

(process:102257): Gtk-WARNING **: 19:45:45.157: This process is currently running setuid or setgid.
This is not a supported use of GTK+. You must create a helper
program instead. For further details, see:

    http://www.gtk.org/setuid.html 

Refusing to initialize GTK+.

I refuse to fiddle around with keepassxc any further. There are good reasons for the restriction of setu/gid bits for sure. Do you know a solution for my approach? Is it even preferable? Is there an easy template/solution for mentioned helper program? Bash only? Are there better ways to achive my goal of limited file access to a single executable?