Should sensitive data like database password be generated in .env by default?

I noticed that when I used npx create-strapi-app project-name to create a postgres project, the database password will be stored inside config/database.js

I wonder since the .gitignore file has included the .env file already, isn’t it better to include the .env file and place the database password into the .env file by default when the project is created?