I can tell you what we used do where I work. I don't know if this is
something which would work for everyone.
We didn't have a static .pgpass file, instead we stored the encrypted
password in another location, and our application generated a .pgpass file
with the plaintext password in it for the purpose of establishing the
connection, then removed the file as soon as possible.
What we do now is used cert-based authentication using a similar process to
create an unecrypted private key file at the last moment, and remove it
immediately.