I don't think I've ever encountered something like this. But on the other hand, I don't think this is really avoidable in principle, especially for open source applications. Proprietary apps can try to obfuscate the API key somehow but that's not really doable for open source apps.

Indeed, one possibility is to inject the key at package build time, but each user will still have to get a copy as part of the package. Not to mention that ideally all the package build source artifacts & the build system would be open (as when building packages in Fedora) so there would be no place to hide the key - every user should be able to audit the package build and rebuilt the package, so needs all of the input artifacts.

For that reason I prefer "public" APIs that don't use API keys where possible and that apply IP base rate limiting (IIRC geonames and Nominatim work that way).

Another possibility is to add an option for users to add they own API keys, so they can get stuff working if the default one goes bad or even by default if you want to use an API with so low rate limit a shared key is unusable.