How is the storage of email credentials (for sending reports) secured?

The configuration is in Duplicati-server.sqlite. On Windows this is obfuscated to protect against simple scan tools. On Linux it is not, and I think it has to do with what SQLite is available. I suspect macOS is similar to Linux. DB Browser for SQLite can test this. If it can read the database, DB is not obfuscated.

Understanding the configuration storage in ~/.config/Duplicati. Can I remove stuff? shows permissions which could probably be cut down to 600 from 644 unless you run tray icon and use web UI password.

Here is one determined user’s attempt to get good encryption, and some discussion of security issues.