I see your point, but using EnvKey also removes storing plain text copies of secrets as a default step in the workflow, so after you revoke an ENVKEY, it's a lot less likely that copies are still floating around. Of course, in the event that you're worried about this, you still need to assume that copies could have been made, so you still have to rotate any secrets that could have been exposed. EnvKey makes that process a LOT faster as well, and speed can be crucial in the case of a compromise.
In short, while EnvKey doesn't solve every conceivable issue with managing secrets securely, and still requires some common sense, I think it does offer a drastically better default workflow for companies that are currently sharing secrets on email or slack, keeping them in git, etc.
In short, while EnvKey doesn't solve every conceivable issue with managing secrets securely, and still requires some common sense, I think it does offer a drastically better default workflow for companies that are currently sharing secrets on email or slack, keeping them in git, etc.