If a key gets compromised, the encrypted secrets are compromised forever, since you can't be sure all the git clones everywhere can be updated with a new encryption key. Not to mention how fiddly it is to edit git history.
But you can and should be rotating those secrets on some schedule regardless, and if you find out a key has been compromised you can immediately rotate the secrets.