So Braintree responded to this question with:
So long as your system is PCI compliant, and your merchants are aware that their API keys are stored on your server, then you should be fine. How you store the integration API keys is completely up to you, and [we] don’t really have any best practices to offer.
So, it doesn't seem like this case affects the PCI/DSS scope of our product, and it seems we are free to choose an appropriate way to store the private API keys that we obtain (saravanan's suggestion is one possible option).