Storing credentials in configuration is bad practice, but as far as I can tell commerce_paypal makes doing the right thing a bit tricky.
You can override the client_id and client_secret for a gateway in settings.php via $config['commerce_payment.commerce_payment_gateway.[your_gateway]']['configuration'], but since the UI doesn't know about overriden config values, this means you can't save the gateway config form because it will fail validation. So if you want to make changes to conditions or other settings you can't.
The best solution imo would be integrating with the key module, which would allow storing credentials in config as it is currently, or any of the other providers supported by plugins.
But making the config form aware of overriden configuration when saving would also solve this problem.
Active
1.0
PayPal / IPN
+1. Coming from the commerce_braintree module and was pretty disappointed that this doesn't work out-of-the-box here. Als makes it unnecessary difficult to automatically switch between development and live systems.
PS: It would already help if the credential fields were optional and could be left empty.