I want to elaborate on this point a little. You don’t need a custom iso to install a custom system. I can reinstall my system using the standard installer boot image, or an older one I happen to have handy still on my ventoy usb stick from the last time I needed to install a machine. As per Nix store sqlite db corruption - #6 by uep, I can even reinstall my machine from the running machine. With disko and other additional components, there are fewer and fewer manual steps needed from a blank disk. The result is the same; as a demonstration, running another nixos-rebuild on the system right after first boot is a no-op because the result is the same.
I don’t want to tell you that you shouldn’t build a custom iso, though, if you want. Good reasons for this mostly involve avoiding repeated package downloads from cache; you can pre-seed the store on the iso with the packages you use (or a full system closure of your target, even), and they’ll be used by the installer before going out to the network (as in the linked thread above). Good for repeated builds, installing a fleet of machines, or an automated hardware test, or something that should be basically entirely hands-off.
If that system closure uses agenix, sops-nix, or similar to include encrypted secrets, then they’ll be included too, and copied to the target store just like any other — but this is true regardless of whether you booted a custom installer, or added a local network cache, or built those packages again. For any of these cases, you’ll need to put the relevant decryption key in place (ssh host key, typically) for the pre-encrypted contents to be usable, of course.
But the distinction between these cases is really just where it’s best to start your journey. You don’t need to focus on the installer as the first part of nixos to learn, but if that grabs your interest, go for it.