After using dotenv (or dotenvx) for a while, I'm still not the best way on how to use it.
.env.example seems like a sane approach for providing keys that need to be filled in with secrets, usually in an .env. Alternative secrets are stored in .env.local if .env is the example file. Either way this keeps secrets out of Git.
Where it gets a bit more confusing is sharing environment variables across environments that aren't secret. e.g. Database IDs. Is it okay to put them into something like .env.development and .env.production and commit those?
I don't believe .env.production with orthogonal environment variables breaks any 12factor config rules. It's just a config file essentially, as long as it doesn't have secrets. This does make it infinitely easier to create a production-like environment on a local machine.
Regardless, secrets should be kept out of anything in Git. Load them through something like GitHub CI variables directly.