Why do people put the .env into gitignore?

Your .env file contains very sensitive information (your app key at the very least). You do not want this in version control where everybody can see this information and possibly use it to attack your site.
Think about database information which might be stored in there or email keys or passwords. Furthermore it is likely that the information which you use in your .env file also needs to change between environments so you will need to change values anyways.

What should you instead do?
Make a file .env.example in this file you place all the keys of your .env.
ex.

APP_ENV=localAPP_DEBUG=trueAPP_KEY=SomeRandomStringAPP_URL=http://localhostDB_CONNECTION=mysqlDB_HOST=127.0.0.1DB_PORT=3306DB_DATABASE=homesteadDB_USERNAME=homesteadDB_PASSWORD=secret

Here you can see a file in which all the necessary information for somebody that wants to use your code is available but none of the sensitive information. Then somebody can copy this .env.example to .env and change the values.

The answers here and many articles all said .env includes sensitive information so it should not be put in source control. But the thing is .env does not just include sensitive information, it may also contain typical setting configuration. You can just leave sensitive information out and keep all the other settings in git.

Some suggests put .env.example in git, I actually followed that for a while but found it quite “inconvenient”, especially for the guys who newly joined the team. When they check out the codes, they find codes can not run, then they just copy .env from other old guys (not from .env.example and make the necessary changes.) b/c for dev environment even the sensitive information like API key/DB password are shared.

Quite often the whole dev team will have one API key and one DB setting. I see this happened from time to time, which just makes me doubt the use of .env.example.

So now I use the practice of putting .env in git and put sensitive information in .env.local which is gitignored.

Ruby dotenv gem suggested this https://github.com/bkeepers/dotenv#what-other-env-files-can-i-use
Symfony 4 has also changed to this behavior
When I do nodejs project I also use a npm package called dotenv-flow to do that.

The .env file contains passwords and API keys that should not go into source control for security reasons. Plus they will likely change between environments (you should use different API keys for testing vs production)

What you can do is keep .env.example.php in git and keep it updated with the variables that need to be configured, but leave the value blank. Then on new install just do copy .env.example.php to .env and update the values for that environment.