Fix your process then. Use a global ignore file. Add a language-specific gitignore boilerplate first thing you create a new project. Scan for files that don't belong in code review (do I even need to suggest this).
> never get to remove them from history.
Scrubbing specific files from git history isn't hard.
s/__pycache__ and ﹡pyc/secrets.py/g and people will also commit it in. PEBCAK.
The premise of my original post is that ignoring secrets.py but not secrets.pyc is probably not very common. TFA claims "thousands of GitHub repositories contain secrets hidden inside their bytecode", which is probably true, but at least the vast majority of those have secrets.py in plain sight as well, no decompiling necessary; and TFA doesn't actually demonstrate any effort to filter those out.
> never get to remove them from history.
Scrubbing specific files from git history isn't hard.
s/__pycache__ and ﹡pyc/secrets.py/g and people will also commit it in. PEBCAK.