From my understanding jenkins saves alls password as AES encrypted strings not in plain text, e.g authentication provider strings.
It look like the scm plugin collects the form data before this encryption took place, so the password are submitted in plain text into scm provider. This is a big security issue if you wanna give non admin people acccess to the config backup in scm. If anyone can read password someone typed in secretly that is a big problem.
At least its shall be configurable to submit password unencrypted but defaults to encrypted, thats the way jenkins also saves config data on disk.