Please share some more information on your setup, at least the GitRepository and Kustomization manifests. Flux doesn't delete any resources it doesn't govern. However, it will overwrite resources if they exist in the cluster but are also governed by Flux (e.g. by being present in a Git repository that's reconciled).

well the cluster itself is managed itself by flux, its all standard, meaning the setup after a bootstrap,
the packages themselves are governed by a helm release, but separate from the resources such as secrets, namespaces ingressroutes, both held together by kustomization.

the namespaces are nested due to hierarchical namespaces addon
otherwise than having flux managing the staging cluster from an unmanaged namespace, there is nothing special about it either

# kubectl hns tree staging
staging
├── [s] cert-manager
├── [s] csi-driver-nfs
├── [s] docker-registry
├── [s] gitsrv
├── [s] kubernetes-replicator
├── [s] metallb-system
└── [s] traefik
|- flux-system

the secrets are replicated by kubernetes-replicator

kind: Secret
metadata:
  annotations:
    cert-manager.io/private-key-encoding: PKCS1
    cert-manager.io/private-key-size: 4096
    replicator.v1.mittwald.de/replication-allowed: "true"
    replicator.v1.mittwald.de/replication-allowed-namespaces: "traefik,docker-registry"

  name: tlscertificatesecret
  namespace: cert-manager
type: kubernetes.io/tls
data:
  tls.crt: <OMITED SECRET>
  tls.key: <OMITED SECRET>

apiVersion: v1
kind: Secret
metadata:
  name: tlscertificatesecret
  namespace: traefik
  annotations:
    replicator.v1.mittwald.de/replicate-from: cert-manager/tlscertificatesecret
    replicator.v1.mittwald.de/replicated-keys: tls.crt,tls.key
type: kubernetes.io/tls
data:
  tls.crt: ""
  tls.key: ""

it does sync the secret by kubernetes-replicator, but returns to its default state (tls.crt, tls.key empty) once
reconciliation ran. my assumption is that flux governs the secret through reference in kustomization and replaces the replicated secret by the template one once it runs named kustomization reconciling.

Same happens with secrets of type kubernetes.io/dockerconfigjson over time they will be overridden with the default value