Apparently Duplicati saves all passwords (backup, servers, tokens, etc…) as plain text in an SQLite database. This database is encrypted but the program executable can decrypt it easily (correct me if I am wrong). Anyone with a simple read access to you AppData folder, including other Windows users could get this file, decrypt it and then have access to all your secured data.
If you have Windows Pro, Enterprise or Education there is a way to add extra protection to the Duplicati databases by using the EFS file system in a NTFS partition. Just locate the Duplicati configuration database file, right click, properties, advanced and then check “encrypt contents”. Once encrypted the file can be transparently accessed by the logged owner. Not even system administrators can read it (except if they are able to reset your password).
If you run Duplicati as a service you will also need to configure the service to run with your user credentials in order to be able to open the config files.
I think Duplicati could include a “Paranoid” mode that requires a master pass to load the config every time the program runs. This, obviously, would kill the automatic backups but allows the the user to run the program directly from the backup HD without the risk of having any data compromised in case the media is lost.