Mine own eyes have seen wp-config.php (as well as other sensitive credentials and API keys) checked into public repositories, unfortunately. It would be great if WP supported .env files natively, it’s definitely the proper place for config values. Too bad it’s not an option, it would likely alleviate this concern for many developers.