To expand on that, assuming that the node is correctly written, credentials are kept in a separate file to your flows. That file is encrypted using a key in your settings.js that you should certainly change.
So if you export a flow from the Editor, the credentials are not exported - as you would expect.
If someone gets hold of the credentials file, it is encrypted - but, if they have access to that file, they will also have access to the settings.js file which is in the same folder (your userDir folder, usually
~/.node-red). The settings file has the key in it so, in theory, the credentials file could be de-encrypted.
The answer to your 2nd question then is yes.
But this is no different to any other service you are running that needs access to a secondary service. The credentials have to be somewhere and even if they are encrypted, the key has to be somewhere.
There are various ways to mitigate this issue, here are a few:
Keep the secure services on a different server, physically and logically separate to your main Node-RED server. So it could be Node-RED on a different device, locked away somewhere. Node-RED has so many ways of interacting with other systems, getting data between two of them is rarely an issue.
This is probably the easiest and cheapest approach.
Use a hardware encryption device
This is certainly secure but also typically very expensive.
Use a global cloud provider that includes a keystore
Such as Microsoft Azure.
Of course, it would be nice if Node-RED could interact with a keystore itself but that is quite complex.