It should be easier to refer to a particular Credentials from a script.
Currently you can use GenericSCMStep with a hardcoded ID (or see
JENKINS-26085). But this looks ugly in the script. It would be nicer for not just Workflow but other non-UI-driven plugins as well (Templates, Job DSL, YAML Project, &c.) if you could define a meaningful ID when creating a StandardCredentials. Perhaps this could be in an Advanced block when configuring the credentials. Without such a UI, you have to resort to editing $JENKINS_HOME/credentials.xml and reloading configuration from disk.
Note that the actual lookup of the live StandardCredentials by its ID happens in some context, where the Item and DomainRestrictions are considered. So if the referent is not appropriate in the current context, the plugin code using the ID (for example, git-plugin) is responsible for rejecting the attempt, minimally just by saying that no Credentials with that ID could be found. In other words, security & sanity checks can be done in UI forms but they must be done again at runtime anyway; this is true even for freestyle projects since you can just upload a new config.xml with an arbitrary <credentialsId>...</credentialsId>.
The Credentials plugin does of course need to take care to ensure that IDs are unique within a given CredentialsProvider when loading definitions from disk or adding definitions.