Hi @tommyent,
These are valid concerns. The thread you referenced goes into a lot of this with regards to how the connection info is encrypted and how the exact information differs between integrations types. There is also some other info in a different thread. I will post the relevant pieces here, along with some further clarification:
In short, we use AES (CBC) for encrypting the connection information. We are only storing the bare essential information for facilitating access across our client interfaces (desktop and web client). For OAuth-capable services this means we are only storing the service-supplied tokens and never see your password or other sensitive authentication information.
Generally these tokens expire. Some access tokens actually expire very quickly (after an hour for OneDrive and Amazon Drive, for example). Dropbox has chosen to effectively not expire their tokens, explaining that users can revoke application access at any time. It’s not a practice I am fully supportive of, personally, but it is what they have decided to do.
For legacy protocols (FTP, WebDAV, and SFTP) and utility storage like Amazon S3, which do not make use of auth schemes like OAuth, storing the credentials is required. These are kept in an encrypted state in our database. Again, the encryption keys are kept separate from the data.