Adding the download key RNMapboxMapsDownloadToken to expo's App.json / app.config.js cause it to publish to the podfile and gradle.properties file.

I had the key abstracted to a local config file. But expo prebuild does not know these items are secrets so it adds them to the Podfile and gradle file which normally need to be committed.

// eslint-disable-next-line @nx/enforce-module-boundaries
const localConfig = require('../../.local.config.js')
const expoConfig = {
    plugins: [
    ...
      [
        '@rnmapbox/maps',
        {
          RNMapboxMapsVersion: '11.4.0',
          RNMapboxMapsDownloadToken:
            localConfig.mapbox.RNMapboxMapsDownloadToken,
        },
      ]
    ]

Questions

1. Is this intended?
2. Should I be ignoring the gradle properties and podfile for xcode projects that are auto-generating some things?

Workaround / Security Doc update

If this is not intended...

• I think we should update the docs to protect these keys. The download key exposure seems to be low risk for now, but could get your banned if a bad actor took the key and spammed the api.
• We can add docs or point to docs about .netrc (ios) and local.properties for android.

Environment

Latest expo 51 (as a development build) with RN74.

Steps to reproduce

1. Add the config key. Run expo prebuild and see the key be added to the android/gradle.properties and ios/Podfile
2. Publish it to github public and get a warning about exposing download keys. 😢

You can try it on this repo. https://github.com/VirtualizeLLC/examples. Add the key to the apps/mapbox/app.config.js or make a .local.config and add the key there.

Afterwards run nx run mapbox:prebuild --clean it should add the download keys.