If your encryption key generation security depends on people not knowing how you generate keys, then it's totally busted.

Ah, but the question isn't Is this a good idea? but Is this legally required?

Not always the same.

It may not depend on it, but it will improve it by some small margin most of the time.

Centralized version control doesn't have any advantage over distributed version control for either of those scenarios. Particularly, it doesn't give you any more control over where the code goes after someone with authorized read access to the repository makes their own copy of it.

For that, you need comprehensive monitoring on every system from which the repository can be accessed that tracks what is done, and once you have that, it doesn't really matter what you do for VCS for that kind of monitoring.