Reposting this comment here for transparency

What Blorp stores:

• Unless using the website, all the code is stored locally on your device
• On login, we send your username/password to Lemmy/PieFed
• The API responds with a JSON Web Token (JWT)
• This JWT can be used to update, vote, post, etc on your account. It cannot be used to delete your account.
• We only ever store the JWT, so it's actually impossible for Blorp to delete your account

The bad news:

• MacOS stores the JTW locally as plain text. After reviewing this, I'm unhappy about this.
• iOS also stores the JTW in plain text, but has some pretty strict app sandboxing as far as I know. I'm not to worried here.
• I think Android also sandboxes, but I'm not 100% sure.
• Web stores the JTW in plain text, but this is pretty standard. The web enforces pretty good sandboxing between websites, and I don't run any code that isn't bundled into my app. I'm also not worried about this one.

I'm working on a rapid security update:

• This update will encrypt the iOS, Android, and MacOS databases on initial launch. Any unencrypted data will be destroyed immediately.
• I'm really sorry I wasn't more careful here.
• I also wouldn't panic as an app would have to know what file to look for, how to parse that file for the JWT, what instance the JWT belongs to.
• This update will be v1.9.12, and will be rolled out as soon as I'm done testing

TL;DR, MacOS is probably fine, but concerning me a little. This rapid update will bring encryption to iOS, Android, and MacOS.