rule #1: never give developers production secrets. That way they wont be able to misuse them or push them to the repo. From my experience devs only care whether their software works, security is often an afterthought.
rule #2: its not only secrets management, the whole stack should go through security hardening and regular security review.
Rule #1 is really important. Unfortunately many small companies and most startups only have developers and no separate operations department. The best those developers can do is keeping secrets out of git, slack and email. I'm using git secret for a project of a customer with one internal developer and about five external consultants.
if that's the case, then only a team lead / most senior dev should have prod secrets. and I would prefer to be very low tech in terms of secrets management.
definitely not passing secrets in ENV (cause any process can access ENV and exfiltrate) or as command line argument (cause they will be logged as all tty commands are)
rule #2: its not only secrets management, the whole stack should go through security hardening and regular security review.