Visual Studio Publish Profiles - Why not track in source control?

I cannot confirm the reasoning but I can tell you what we do. I include the .pubxml files in source control due to the fact that any of us can publish to our DEV or TEST environments. I even checked the files themselves and did not see any local paths. But consider that we use web deploy, so long as we all have access to the same server to deploy to, then there is no problem.

So it really, IMO, depends on what deployment settings you use and if all of your team have access to the same servers.

No credentials and no local paths are stored in our .pubxml files.

From Microsoft documentation (for ASP.NET Core 2.2 and up)-

When publishing to an Azure target, the .pubxml file contains yourAzure subscription identifier. With that target type, adding this fileto source control is discouraged. When publishing to a non-Azuretarget, it's safe to check in the .pubxml file.

Sensitive information (like the publish password) is encrypted on aper user/machine level. It's stored in the.pubxml.user file. Becausethis file can store sensitive information, it shouldn't be checkedinto source control.

This is correct. These publish profile files have local settings like target path to deploy which may be different for different systems. So it is always kept these files only locally.