From what I can see, password is really a required argument, and False is just a sentinel, since writing def export_to_pem(self, private_key=False, password): is illegal syntax. In this case, I think we can do better in the stubs using overloads:

(This might make stubtest unhappy, im which case we need to add an entry to stubs/jwcrypto/@tests/stubtest_allowlist.txt.)

My understanding is password is only required if private_key is True. Would this be fine?

    @overload
    def export_to_pem(self, private_key: Literal[False] = False, password: Literal[False] | bytes | None = False) -> bytes: ...
    @overload
    def export_to_pem(self, private_key: Literal[True], password: bytes | None) -> bytes: ...

Oops, yes you are right. Your overload looks fine, here are two other alternatives:

    from _typeshed import Unused

    @overload
    def export_to_pem(self, private_key: Literal[False] = False, password: Unused = False) -> bytes: ...
    @overload
    def export_to_pem(self, private_key: Literal[True], password: bytes | None) -> bytes: ...

Unused is a type alias for object. This makes it clear to the reader that password has no effect.

    @overload
    def export_to_pem(self, private_key: Literal[False] = False) -> bytes: ...
    @overload
    def export_to_pem(self, private_key: Literal[True], password: bytes | None) -> bytes: ...

This prevents errors by the user like export_to_pem(password=b"...") or export_to_pem(True, b"..."), but might be a bit more disruptive, especially when export_to_pem is wrapped by another function with a similar signature.

Please pick which of the three alternatives you think fits best.

Went with Unused, it feels the most sensible to me.