Note that pass was developed (and is maintained) by Jason Donenfeld (zx2c4), the same person who developed Wireguard, the new VPN protocol.
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
GPG is FIPS 140-2 compliant (though pass itself might not be, depending on the specific way it's used). Most likely pass would have to use GPG in a specific FIPS-compliant mode to pursue validation.
GPG has a FIPS mode that will use FIPS 140-2 primitives.
But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.