I think it’s overkill for homelab and over complex/additional failure points.
I use sops encrypted, published in my public git. When I apply my nix config, they are pulled and unencrypted on apply on the local machine.
Keeps it as simple as I can think of, with few moving parts.
Depends on the circumstances tbh. Things like sops do load the secret unencrypted on the machine (with perms but still unencrypted. For remote VPS encrypted at rest is probably better. K8S has secret management but there unencrypted too.
Another alternative could be using Doppler secrets managment platform, I used it for a while