It's not a question of share everything or share nothing - with https://chezmoi.io you can choose exactly what you want to share:
* You can keep your entire dotfile repo secret by using any private git hosting, including your own git hosting or a private GitHub repo.
* You can keep individual files secret by using age or gpg encryption. If you repo is public, this only reveals the existence of the file, not its contents.
* You can keep individual parts of your dotfiles secrets, e.g. API keys, by encrypting them or storing them in your password manager. All popular password managers are supported.
Chezmoi has been a blessing to use. It is one of the only tools I've used that had been able to survive me neclecting it for months and then getting back to it. I'd love a more interactive diff when my dotfiles have driften too much. But otherwise it is perfect for my needs.
Meta had an internal tool called "dotsync". It persisted multiple revisions of dotfiles across multiple machines associated with a particular user's account. It supported ignoring history and secret files by patterns. This is a superset of simply storing all dotfiles in a single git repo. This unmaintained project seems suspiciously similar including the name: https://dotsync.org
* You can keep your entire dotfile repo secret by using any private git hosting, including your own git hosting or a private GitHub repo.
* You can keep individual files secret by using age or gpg encryption. If you repo is public, this only reveals the existence of the file, not its contents.
* You can keep individual parts of your dotfiles secrets, e.g. API keys, by encrypting them or storing them in your password manager. All popular password managers are supported.
Disclaimer: I'm the author of chezmoi.