Selead secrets don't keep private keys in plain sight in the repo either. They keep them in encrypted format. Perhaps you misunderstand what "plain sight" would mean here. Also there is a huge difference between exposing encrypted credentials in a public source code repository and doing it in a private one.

Advise should be tempered to the situation we are talking about. In the case of a public repo, that's a bit different, and using GitLab/GitHub repo secrets is better for package publishing credentials. But there really isn't much else you would need there.