All of the tutorials I've seen (such as here) for using Rewrite rules with Apache on Centos show how to enable .htaccess and then put the rules in there, which requires enabling AllowOverRide All in httpd.conf for the www directory being used.
From a security standpoint I would think it better to keep .htaccess disabled and put the rewrites into httpd.conf (or .../sites-enabled/example.net.conf). Indeed, this is the advice of the Apache manual, When (not) to use .htaccess.
Is there a good reason using httpd.conf for rewrites isn't common practice?
A large number of the consumers of the tutorials you've read are customers of shared webhosts, whom don't have access to modify the main apache configuration, but do typically have the ability to place rewrite rules in
.htaccessfiles in their web document root.You're right in saying that it's preferred to put configuration in the main config file if possible. This is for two reasons: first, there's a very slight performance gain, in that the webserver doesn't need to be constantly re-reading the
.htaccessfile, and second, security - your httpd.conf is typically much more well-protected from modifications than your.htaccessfile(s).