This question showed up while debating whether a configuration file with public application settings and secret values should be stored in Hashicorp's Vault as a secret.
A file that <i>would</i> contain a secret should have the secret attributes parameterized and the attribute modified on deployment using Hashicorp Vault, otherwise the entire file would have to be stored in Vault meaning the entire file is a secret. This is a common pattern with Ansible, Chef, Puppet and other configuration management tools that integrate with Vault. Docker also has integrations with Vault and can replace attribute placeholders with their secret contents on deployment of containers. All of the aforementioned platforms have how-to's explaining how to correctly integrate with Vault.
The secrets are secret. Store them securely.<p>If storing the secrets securely doesn't cause the public settings to be inaccessible where/when they're needed, then you have nothing else to do.<p>Separate the secret and non-secret data. Don't even use files, just let each item be its own individual value with its own key and permissions.<p>Also, it doesn't sound like anyone debating this is experienced enough to be making security decisions, even very basic ones.