Mark, you read it correctly and you're right, anyway a malicious user at your console should not be able to read your passwords. Also note that to steal saved passwords it's sufficent to entice a victim to execute a malicious script like that:

--BOF
tell application "Safari"
open location "https:/...

[ more ]