It would appear that all user passwords are stored in plaintext in file /var/log/archinstall/user_credentials.json. Which is accessible to any user on the system (mode=644).

# ls -l /var/log/archinstall/user_credentials.json 
-rw-r--r-- 1 root root 94 May  1 18:48 /var/log/archinstall/user_credentials.json

At minimum suggest changing the access permissions on this file to mode=600, user=root, group=root.

Better yet, store the password hash. I see that there is another issue (#1029) for allowing passwords to provided in a hashed manner. And in this issue there is some concern over supporting multiple potentially disparate hashing requirements. Given that the entry is already stored as a JSON object (python dict), one solution would be to extend the object to indicate which subsystem the entry is for, such as:

{
    "!superusers": {
        "wilbur": {
            "!password-shadow": "$6$xyz$ZmArb33D/r5Aftt/vkeJD.eOocWEgln8gW2Jn/71EUup1LDTJv0P8nL76leql7HDvsy2ObrAT6k.jQnol2pfV0"
        }
    }
}

or

{
    "!superusers": {
        "wilbur": {
            "!password": {
                "shadow": "$6$xyz$ZmArb33D/r5Aftt/vkeJD.eOocWEgln8gW2Jn/71EUup1LDTJv0P8nL76leql7HDvsy2ObrAT6k.jQnol2pfV0"
            }
        }
    }
}

Personally, I prefer the second form. IMO, it is easily extensible for any additional passwords that need to be convey.