If you put the token in there, you should make sure afterwards that the generated image doesn’t contain the token. It could be (I don’t know and haven’t checked) that ansible-builder stores some information from the build process in the image for introspection reasons, and this could also contain information on which collections where installed (and the easiest way to do that is to simply keep the requirements.yml file, which includes the token). Maybe it doesn’t do that, but I’d still check, just in case
Just for clarity, it is not recommended to use git repos for production collection installation. It is meant as a developer shortcut. You should investigate installing some form of galaxy server to serve out the artifacts. Or at the very minimum, host the artifacts on some other internal non-authenticated web service.