I can tell you what we used do where I work. I don't know if this is something which would work for everyone.
We didn't have a static .pgpass file, instead we stored the
encrypted
password in another location, and our application generated a .pgpass file with the plaintext password in it for the purpose of establishing the connection, then removed the file as soon as possible.
What we do now is used cert-based authentication using a similar process to create an unecrypted private key file at the last moment, and remove it immediately.
