An update for anyone reading this later: I got one thing wrong in my answer about the construction chain for .env during deployments.
The wordpress_env_defaults dictionary in group_vars/all/helpers.yml has no effect in deployment. The deploy role redefines wordpress_env_defaults with a new structure (in deploy/vars/main.yml, which comes later in Ansible’s variable precedence order).
This is why the deployed .env file includes nice things like GIT_SHA and RELEASE_VERSION.
Unfortunately it also means there is no place out of the box to define unencrypted env variables that will be applied to every single environment. You have to put it all under each wordpress_sites.{site}.env in the group_vars/{env}/wordpress_sites.yml files.
The wordpress_env_defaults from group_vars/all/helpers.yml file is only used in server provisioning. So, it takes effect when creating a development VM (because the dev.yml playbook does not use the deploy.yml playbook).
There was a previous thread about this: Wordpress_env_defaults in helpers.yml not working?
(vault_wordpress_env_defaults does get applied to every environment, but it’s a pain to encrypt non-sensitive stuff there. Probably better to define a custom var and merge it into wordpress_sites.)