Well, if you're using slack for example you'll normally find that business use it to send a lot more senstive stuff to each other than just API keys. If your slack gets breached you've pretty much got yourself a data breach that you'll need to report (if you're covered by GDPR. If you're GitHub is breached you've probably got major issues and need to do a code aduit to make sure there are no backdoors. If any part of your infrastructure is comprised, you're in trouble. If you get to the nity gritty you've got to store senstive data somewhere.

Honestly, I find it super annoying when someone is fine with me sending them a link to kibana to which the access details are in slack to see a API key but have an issue with me sending the API key to them via slack. The whole we don't trust slack but we'll send customer data to each other via it, have all of our secret business info on it, but the API key for an internal service that just outputs public info, that's too dangerous.

Oh, and then there are the people who store everything on vault or something and then give out the password willy nilly. Mate, if it's got to be encrypted then we shouldn't be giving it out to everytone. If it's got to be given out to everyone then it's not senstive data, it's just private.

For most businesses, the main thing you need to keep safe is your database.