EAS Secrets is where you should put all your env variable at the end (as CI-CI pipeline) and is the one that will overwrite other value.

--env and the env object in eas.json are the same thing.

about sensitiveness, it's depend which level of security you want to put on your variable in the EAS Secrets variable managers (visible, masked or secrets). Secrets level if for value you don't want either other people on your team to see or leak by mistake.

Sensitive data such as API KEY should be stored at least at masked level.

You can restrict you variable on specific environnement in EAS Secrets, which let's you configure them more efficiently.

Also a little warn, if you put data on masked or secrets level, be sure to not use them with EXPO_PUBLIC_ prefix in your app, else it will be visible for anyone who install your application.