The sops file is a lib.types.path, not a store path, so all paths are valid. It might be mentioned somewhere in the readme, but I don’t spot an explicit explanation of the type at a glance.
But yeah, just set it to any ol’ path (and define it as a string so that nix does not attempt to read it) and it works as long as you physically put the sops file there. After that the file is decrypted from that location at runtime, so your secrets never hit the store or git.
This blog post about what may well become the future built-in secrets manager may be of interest if you want to figure out how this stuff works under the hood. Sops is hardly required, and really the secrets don’t need to be encrypted either, that’s all just the result of sops/agenix becoming dominant early on. Shame the PR hasn’t seen much attention since the announcement, it’d be great if newcomers didn’t have to use third party projects and learn about sops/encryption on top of all the other stuff.