The Fastlane Match documentation suggests putting certificates in a private git repo. If my project repo is already private is there any reason to not put the certificates into the project repo? Say in a /certificates directory?
Obviously it would be paramount not to deploy these certificates with any kind of release.
If you use your signing identity for more than one project you would need to store it in every repository. When you need to update it you need to update it in every repository, thus it would be better to have it only in one place. The signing identity is (most likely) not specific to the one project.