You shouldn't deploy .env files to production. You should set the actual environment variables on production. .env files are intended for convenience on non-prod systems.
Agreed, but server frameworks shouldn't easily enable a foot gun that allows bots to have disk access to your host. Instead, only explicitly defined routes or resource files should be available.
If I had to guess, this person committed their .env file in some repo and pushed that up, and that become available because the server was misconfigured.
For other servers (such as, say, Jetty), config files like that won't get exposed like that unless you're very obviously placing your config files in a public resource folder.
