So I see a lot of comments here leading to one fact that: as long as you have physical access to the device you shouldn't worry

But, remotely steal your data is a possibility without the need to have access to the device.

For example:
ATM it's difficult to know thats apps on Extras got anything harmful in them...I believe it is reasonably easy to slip in a code to send accounts.cfg with passwords in plain text back

Encrypted is better than nothing, if can't encrypted can't be done then don't store them at all.