Mine own eyes have seen wp-config.php (as well as other sensitive credentials and API keys) checked into public repositories, unfortunately. It would be great if WP supported .env files natively, it’s definitely the proper place for config values. Too bad it’s not an option, it would likely alleviate this concern for many developers.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users