Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages.
In fact, moving to a deb822 format might make this even easier.
It is supported since since apt version 1.1 so it is available (at least) since Debian 8 (jessie).
I've noticed that we almost never update source files outside of Ansible (with the apt_repository module), so we could decide to change all custom source files to this new format, without breaking anything.