The problem isn't the .env file itself but using environment variables at all to pass secrets is insecure.