I tend to use env variables instead of env files (12 Factor Apps - https://12factor.net/). Safer, not safest. As @late_night_fix mentioned, there has to be a balance.
I've seen teams spend more time managing secret access than building features.There's definitely a balance between security and keeping developer workflow fast.