I remember this being discussed before, not sure where where the discussion happened.
The problem extends much further than the mail password. It's the same with private tokens for social logins, API tokens for cloud upload adapters, etc.
Ideally Flarum should provide a mechanism so core features and extensions can easily create "sensitive" setting values.
I believe it's actually relatively common for software to allow reading back passwords like this when you are in a secure admin panel. It has some uses, and helps with troubleshooting sometimes, as you can see what is currently set without having to change it.
For forums with higher security requirements or those using continuous deployment, it would make sense to have a "locked down" version of the admin panel where nothing can be read or even written, to minimize risks in case an admin account was compromised. This can already be achieved relatively easily with a custom extender, the settings store can be replaced with a custom class that either filters what is stored in the database or provides hard-coded values, and the admin JSON payload can be modified to never return some keys.
Many of those problems come back to the basic issue of having a super admin at all. The best for security would be to have a single admin account, secure it as much as possible and never use it except for changing global settings. Use moderator accounts with various permission groups for day to day actions. If you have the package manager installed, no amount of read/write permission will protect you, as an attacker gaining access to an admin account could simply download a malicious extension that will bypass all those security measures.
