A script could quite easily do something like this:
on *:load: set %thisscript.password $$?="This script makes use of $!decode(). If you have set a password in the mIRC lock options dialog, please enter that password now."
There is much less of a security issue with scripts storing the password as plain text, as malicious scripts are not going to know that a particular script which may or may not store the lock password is loaded. Different scripts will store the password in different ways, whereas if mIRC stored it as plaintext, there would be a standard way for all scripts to get the password.
Scripters could even give the variable an unrelated name, like /set %house <password>
And if somebody has access to your computer itself, I think somebody seeing a password for the lock commands is the least of your worries.