I use sealed-secrets in my EKS clusters. It works for most cases, simple and affordable. But I don't feel comfortable in general.

First of all, the one who creates the sealed-secret must login to cluster to be able to call kubeseal. You can do it offline cert but it is extra effort.

I think application secrets should never be kept on git. It should be fetched from external secret manager when pod starts. I did a sample project at https://github.com/ismailyenigul/k8s-aws-ssm-env-load to load secrets from ssm parameter by changing dockerfile startup. SSM parameter store is just a free/easy solution. with this approach, you don't have to worry about secret rotation and storing keys on git