The Mail app usually stores the user password encrypted. For XOAUTH2 the encrypted access token is stored in the same columns. However, during the time of the setup, XOAUTH2 accounts have the password in clear text in the database.
[add details for how we can reproduce the issue]
-> password field hides
Once the Gmail consent popup shows, look into oc_mail_accounts and the last entry.
inbound_password and outbound_password have the random value entered for the password.
A DBA could read the plaintext password