In https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables it is claimed that using single-quotes in a shell step is enough to avoid leaking secrets from environment variables used on the command line of a process into places like OS process listings.

This is not actually correct, whether Groovy or the shell does the interpolation is irrelevant to the OS process listings because when the actual process is started the value will be in its place in argv. The OS process listing of the variable value is only avoided if the process reads the environment variable directly, not if the shell inserts it into the command line.