I'm not an English native speaker, it wasn't meant to be passive aggressive at all. I just told you that @julien-f already explained the initial reasons (also telling you we are aware of that fact).
Also, XO 6 work is a major rework of the whole thing, and this will be taken into account on our redesign.
A note, however: if someone can slip into your XOA, password, tokens and XAPI access are available in memory (regardless the fact you have encryption or not). In that case, a passphrase won't change anything. That's why we decided to remove any default password in the XO virtual Appliance template, so nobody still use default creds as a "known" entry point.
And finally, as Xen Orchestra is fully Open Source, your contributions are very welcome 🙂