JeremyTBradshaw I will let Microsoft reply all the details about how is it safer or not during the transaction, but for storing the password in clear this problematic is real for any kind of passwords. If the user store it in clear, it would have stored a normal login / password in clear also.
On our side we store those passwords in a Keypass with limited access, and when required to use them we write the scripts / programs to accept only a SecureString as string version of that password, and if possible with a C# Program, we use a separate DLL and force user to pass a SecureString to not be tempted to convert the password as clear himself in the code.
I guess this is an eternal question on how to secure a password for a script or program, and the answer is mostly about how to actually encrypt it and really limit who / what can decrypt it to the minimum required (e.g. when we deploy in PROD, only super admins have the service account password that will run the program and be used to encrypt then decrypt the password).