The password should never be stored, but if it is encrypted with a master password that is not recorded anywhere, then it is possible (it depends on the application).
In the remaining 99% of cases, passwords (encrypted, hashed) are stored only on servers,
keep the login and token, there will be no access without passwords.
Ideally, of course, only store the token, but everyone wants to make life more convenient for the user by entering a login for him in advance.

The best defense is to store nothing on the client other than a token to access your service. Never work directly with the database from the client, and it is better to access third-party closed APIs through your service. This is the only way to ensure that an attacker does not find anything.