It seems like a big security issue to have Copilot running by default within dotenv files (i.e. .env) that contain extremely sensitive information (API keys, access tokens, passwords, etc).

Can this be disabled by default?

I've circumvented this locally with this code in my vimrc:

augroup dotenv_detect
  autocmd!
  autocmd BufRead,BufNewFile *.env,*.env.*  set filetype=dotenv
augroup END

let g:copilot_filetypes = {
  \ '*':      v:true,
  \ 'dotenv': v:false
  \ }

But this feels like a pretty general best practice that should be opt-out, not opt-in.