Saw this developer response, dated 1909. Scary!
#114 (IMAP server password stored in plain text on disk) - POPFile - Automatic Email Classification - Trac: "I just don't see how any kind of encryption of the password would be more than just cosmetic."
It is still world readable by default (on my Mac).
(It's Open Source, so I will put this on my list of things to do.)