I apologize for this error and I’m glad that we have a vivid community that detects mistakes like this at the earliest. That’s why I love open-source projects. I would argue that this error wasn’t obvious since it didn’t come up during our long development and beta phase with several thousand testers.
There are technical reasons why the cache is stored in cleartext, which is not an error or oversight. In a nutshell, we are bound (and limited) by the File Provider Extension API. There are certain mechanisms at play that force us to have cleartext data readily available. (At some point, you need to have cleartext data, otherwise you can’t work with them.) We are convinced that this is acceptable because of the app’s sandbox and Cryptomator’s security target, which is not the device itself.
However, the security issue definitely violated Cryptomator’s security target and we fixed it as soon as we knew about it. And we’ll keep improving the app. E.g., clearing the cache after the vault has been locked in combination with auto-lock can certainly be helpful if you’d like to tighten the longevity of the cache.