Not really. Instead, any user-supplied passwords are scrambled with a simple XOR-based algorithm. They do not appear as plain text.
The reason we don't use DPAPI for secure storage is that it would create problems with the portable version and config files shared between systems. For example, if the data was encrypted on system A and the config is then opened on system B, the scanner will not be able to read it.
Generally, if it is a concern, we recommend using the portable version and place it into an EFS-encrypted folder or a BitLocker container.