Not surprising to you, but surprising to thousands of users who will not think about this, or who will have believed the marketing promises.
Well I saw vibe coders commit .env files with real credentials to public repository, but I didn't see anyone blaming Git for allowing .env or secrets to be commited in the first place.