Passwords are stored on the local computer using the same mechanism Thunderbird uses for IMAP and POP passwords. For technical details, do a web search for "nsIPasswordManager".
The sync network traffic carrying usernames, passwords and contacts goes between Thunderbird and the server(s) you selected. No third party web sites are involved.
For Google, the addon defaults to using https.
For more details, see:http://www.zindus.com/faq-thunderbird/#toc-security