In the vault you would set the variables like this:
vault_wordpress_sites:
env:
plugin_api_key_id: YOUR_KEY_ID
plugin_api_secret_key: YOUR_SECRET_KEY
Since you would be using Bedrock (implied by use of Trellis), instead of wp-config.php the variables would be stored in .env (at the site root) and if they needed to be manually retrieved you would use env('PLUGIN_API_KEY_ID').
Related docs:
Similar:
Same idea, a little different use case:
https://roots.io/guides/acf-pro-as-a-composer-dependency-with-encrypted-license-key/