been using claude code heavily for a while now and yeah the memory files are just plaintext sittng in your home directory. no encryption, no access controls. if you're running it on a shared machine or a dev server that's a real exposure. treat it like any other credential file — restrict permissions and don't put it on machines you don't fully control.