Imho a sane dev workflow implies that every registered / encrypted file's plaintext version is added to .gitignore.
Agebox should encourage or enforce that, e.g.:
# Enable gitignore handling
agebox init --gitignore # Maybe this is even the default.
agebox encrypt secrets.env
# secrets.env is now added to .gitignore