I don’t run the tray icon on my server, but maybe I can give it a shot if it survives my 16.04 → 18.04 Ubuntu upgrade.
I’m not sure… I would expect it to not log you in, but I didn’t design it.
The tray icon will read the credentials from either input variables on start or from the database, so it’s just logging in. This is required since it needs to ask the server API about notifications to display the error tray icon.
I suppose - if it’s logging in on your behalf - then anyone with access to your graphical session could log in to Duplicati. So VNC/RDP or physical access while not locked, but I doubt you could over CLI/SSH unless you do some x-forwarding trickery - while having sudo rights.
Well, it isn’t strictly bypassing it since it knows the password and authenticates, but yeah any process that has access to the Duplicati database can get the password. So if you’re running it as your user then anyone with access to ~/.config/Duplicati can login.
All in all, I would have expected the tray icon to not log you in, but I can’t confirm or deny if it does or if it’s designed to do so 