I often use one secret, then switch it with a different secret. To ease the switching, I comment out one secret and uncomment the other. Turns out that the comment is copied over when remixed. This may have caused my chat bot’s API key to get leaked. I don’t know if anyone remixed my project or not.
In general this statement seems potentially misleading:
You can use the .env file to hide sensitive information like passwords and data.
How can a user discover that comments are leaked before it’s too late?
Perhaps initialize a comment in each .env file stating very clearly in caps like “COMMENTS ARE VISIBLE TO USERS THAT REMIX THIS APP, MAKE SURE THERE ARE NO SECRETS IN YOUR COMMENTS”.