The default installation guide for notea has the user put their AWS keys in the .env file, host it on Github, and then deploy to Vercel.

This is a huge security violation since the .env file can be read, leaving the account subsequently pwned.

Am I missing something? I very well could be, since I'm a newbie at hosting things like this.

.env just tells which environment variables to configure. If you need to deploy to vercel, then you should configure these variables on the vercel dashboard.