It's often good practice to have a dedicated build server responsible for producing your release builds and owning the release key. That machine should be kept as secure as possible, along with your source control server.
However, isolating machines used solely for development is not common. A leaked development key is typically not very useful. The resulting code is usually not run anywhere other than the developer's own hardware.
(A compromised dev machine in this scenario could still be used to push malicious code to source control, which would be bad. So it's still good to keep security in mind. But at least that's potentially detectable compared to a compromised compiler. This is also where mandatory code review prior to commit can be useful.)
However, isolating machines used solely for development is not common. A leaked development key is typically not very useful. The resulting code is usually not run anywhere other than the developer's own hardware.
(A compromised dev machine in this scenario could still be used to push malicious code to source control, which would be bad. So it's still good to keep security in mind. But at least that's potentially detectable compared to a compromised compiler. This is also where mandatory code review prior to commit can be useful.)