I just noticed using the Accessibility Inspector, that password textfields expose their contents. Any app that is run could fetch the accessibility hierarchy of Safari, and get the contents of such a password field (even if the text is written out as bullets). Steps to reproduce: 1. Go to gmail.com 2. Fill out the password field 3. Launch Accessibility Inspector.app and point at the password field. See the AXValue field to see your password in plain text.
Fixed in r17083 (<rdar://problem/4770453> VO not honoring secure edit fields in web pages).