You should never save any important passwords in your workspace files if you're afraid they might get into the wrong hands.

For someone who is moderately proficient in FME it is quite easy to extract the database connection password into clear text if they have access to the fmw file.

As an added layer of security you could consider also password-protecting the workspace file. Although this is no guarantee, it will help a bit. More info here: https://knowledge.safe.com/articles/603/password-protection-for-fme-workspaces.html

In the more recent versions of FME there is the concept of a named database connection, which is defined independently from the fmw file, and for which the encryption is much stronger. Highly recommended: https://docs.safe.com/fme/html/FME_Desktop_Documentation/FME_Workbench/!NamedConnections/Using_Database_Connections.htm

Since FME 2016 database connections can be saved as named connections.

Only the name of the connection (user defined alias) is stored in the FMW file.

You can reference the connection in multiple workspaces by name only.

The database credentials are stored in a binary external file (SQLite database).

And that file is usually saved under your user settings or you can specify the location via the FME options