Vault is definitely a better choice than static AEAD keys in pretty much all ways. I just don’t know if having Boundary workers in both environments as part of a single Boundary installation is going to be OK with your security folks given the intent of GovCloud – you’ll either have workers in commercial AWS reaching into GovCloud, or GovCloud workers reaching into commercial AWS. (Then again, maybe you are your security folks, in which case, you get to decide )
The best option if you have a Vault Enterprise deployment is going to be one cluster in GovCloud and one in commercial AWS performance-replicating those Transit keys to each other, as long as that kind of replication is OK policy-wise on your end. (It’s probably going to be easier to justify than direct client access across the GovCloud perimeter, at any rate.)
And either way, you’ll still have to figure out what Boundary client access to the Boundary controllers and workers looks like.
You know your security policy better than I do, I just don’t want to steer you in a direction that’s going to get you in hot water with a COTR or something