Right, i just looked. I think you just get 32 bytes from /dev/urandom, as it notes there you have a negligible chance of an invalid seckey. But also you can check there, right.

Mostly you just use bip32 master secrets ofc, in practice.