Comment 10 for bug 1393515

well, we store at least a plaintext password in the syncevolution settings which the article i linked to complains about ...

and you cant really make sure that an app doesnt do the same in its applicatiopn config dir, we simply dont control that.
so having the browser ignore or deny the file:// protocol would be a quick way to prevent that (and i must say i personally dont really see a need to support file:/// on a phone)