Currently, the Anvil app server uses a config.yaml for a bunch of deployment related things, including app secrets, SMTP settings, and mapping folder names to dependency IDs.
You can see this dependency mapping works the same way in the Anvil editor when you edit where a specified dependency points to - no git commit is generated there, because that is a configuration that lives outside of the git repo. Generally, the environment configuration does (and should) match the type of configuration you have in the config.yaml
When it comes to secrets (and SMTP settings), however, the Anvil hosted app handles it differently from the self hosted app server. It reads from the anvil.yaml and seems to decrypt the secret using an app specific encryption key.
Personally I have no use for versioning secrets and SMTP settings and this is still causing confusion when I collaborate externally. Every app instance generates a new record in the anvil.yaml, even non-collaborators who just want to deploy the app as-is. That means they have to maintain a local branch and periodically merge updates from main/master.
It would make more sense to me to define secrets and SMTP outside of version control, directly tied to environments.
Related Discussion:
Somewhat duplicate FR for SMTP settings: