Re: Two simple ways, which are common sense...
It is easily done, I accidentally committed a signing key to my local repo early last year before I realised that my .gitignore wasn't quite right.
It's the downside of automatically staging new files - though personally I think it's better than the alternative.
The first key difference is that I checked my history and purged it from my local repo before I pushed it.
(The second, possibly more important detail being that the repo I push to is also private.)