Why are .env files considered secure if they are plain text files?

I should say explicitly, the patterns I’m describing here are usually used with network services or web APIs where your code is running in an environment that you control and the sensitive configuration you need to keep safe is yours.

If you are creating a desktop or terminal application that is intended to run on a users computer / where the sensitive information belongs to a user, what @barry-scott said applies. The operating system usually provides a mechanism for apps to store sensitive values or an app may use a library to manage its own encrypted storage with a user managed key.