The passphrase within the backup export is plain text. I am aware of the option to encrypt the backup export and that is what I will do for my backup export.
My concern is that this is a potential vulnerability. If a system is accessed by an unauthorized person, they could simply do an export to get the passphrase.
Unfortunately, without a LOT of over-coding, at some point Duplicati has to rely on the underlying OS for some level of security. However, there are some discussions around issues similar to the one you brought up including: