Comment by kevlened

Standard .env is unencrypted, while a dotenvx .env file has plaintext keys and encrypted values. Anyone with access to the repo would also need the DOTENVX_PRIVATE_KEY variable to decrypt the env file.

One key deployed to your hosts means adding new secrets doesn't take operations effort. Also, the process uses a public/private key pair, so adding a new variable doesn't expose existing variables.