Another major flaw:
Transparent decryption sounds nice. Until you commit decrypted secrets by mistake.
Because the encryption/decryption is transparent, you won't notice if the .gitattributes pattern-matching is wrong until it's too late.
I did this myself and saw it happen in the wild as well.
using pre-commit with a hook to prevent secrets from being committed provides a bit more help preventing this mistake. Nor full-proof because you could always commit say a base64 encoded .env file.
That relies on the user configuring git hooks correctly, which is a similar problem as noticing that transparent decryption is configured correctly.