if you don't set a pop3 password in keyfs there won't be one in the clear (in `secret').
plan 9 itself doesn't need that password except to support pop3 clients
(and similar).  if you don't use pop3 you don't need it.
the administrator of the auth server can still shuffle the contents of the plan 9 `key'
files to masquerade for instance but cannot see the original plain text key.
thus your secret is safe unless it's in `secret',
because `key' doesn't contain the original key.

in any case, the casual snooping possible with Unix/Linux's `root' is a little
more tedious to do on Plan 9, and immutable logs in changeuser/keyfs
might discourage it further.