You’re correct, if the config is encrypted, nobody can see. But… for those that have scripts or a systemd service or something else that mounts the remote, or executes automatic
rclone move (or copy) commands, then you have to read the password from a flat file on the system. And that file (or script) can be read by VPS owners.
If you’re manually executing all your rclone commands, then you don’t have to worry about this, but if you’re doing anything automated, how else are you loading the password so rclone can read the config?
As per the rclone docs:
If you are in an environment where that isn’t possible, you can add a password to your configuration. This means that you will have to enter the password every time you start rclone.
Just something to keep in mind.