There are quite a few different nodes available to conect Note-red to different systems like SQL, Samba, MQTT etc. Most of them need a password to work of course. But, how safe is this passwords actually stored. Are they encrypted in some way? If I run Node Red on a Raspberry PI, would someone with physical access to the RPI, also have access to the configured passwords?
To expand on that, assuming that the node is correctly written, credentials are kept in a separate file to your flows. That file is encrypted using a key in your settings.js that you should certainly change.
So if you export a flow from the Editor, the credentials are not exported - as you would expect.
If someone gets hold of the credentials file, it is encrypted - but, if they have access to that file, they will also have access to the settings.js file which is in the same folder (your userDir folder, usually ~/.node-red). The settings file has the key in it so, in theory, the credentials file could be de-encrypted.
The answer to your 2nd question then is yes.
But this is no different to any other service you are running that needs access to a secondary service. The credentials have to be somewhere and even if they are encrypted, the key has to be somewhere.
There are various ways to mitigate this issue, here are a few:
Keep the secure services on a different server, physically and logically separate to your main Node-RED server. So it could be Node-RED on a different device, locked away somewhere. Node-RED has so many ways of interacting with other systems, getting data between two of them is rarely an issue.
This is probably the easiest and cheapest approach.
Use a hardware encryption device
This is certainly secure but also typically very expensive.
Use a global cloud provider that includes a keystore
Such as Microsoft Azure.
Of course, it would be nice if Node-RED could interact with a keystore itself but that is quite complex.