The app:config:dump command in Magento will write current configuration values to either app/etc/config.php or app/etc/env.php. It’s important to understand what makes the difference, as config.php should be under source control and env.php should not!
Config values that are sensitive or environment-specific should never be under source control in your application codebase; therefore, if locked on disk, they belong in env.php. All other values can be locked in config.php as part of your deployed application. Magento has a handy mechanism for distinguishing between values on this basis when dumping them to disk.
When creating a new configuration setting, you should always ask yourself whether the value it will contain is sensitive, or whether it is likely to differ between environments (development vs. staging vs. production, etc). If so, an added step should be to inject the config path into the sensitive or environment argument of Magento\Config\Model\Config\TypePool using di.xml configuration. This controls the final disk location when config values are dumped.
Even if you don’t use app:config:dump as part of your workflow, this easy step will ensure that sensitive or environment-specific values never accidentally get written to a file that is committed to your source control!
Director of Training and Development at SwiftOtter -@ChrisNanninga