So how else should they handle them? Assuming the repo is private, keeping keys in the repo is the most frictionless way to ensure everyone has everything set up correctly.
Environment variables get annoying quickly if you ever need different ones for different projects, and if you create a shell script (or Vagrantfile) to do it for you, you're still keeping the keys in the repo.
Git is designed to facilitate sharing. Repos are a poor tool for managing secrets, especially intermixed with a general software project.
Use something else for secrets. Ideally you would generate the secret on the same server on which it will be used and not move it over the network (except for a one-off backup).
Worse still, they could be using passwords in an external service (eg, for a database) and have included those as well.