I share the same security concerns with you. The reason Remote Control's database is not encrypted is that it is supposed to run unattended, i.e. not wait for your input on launching a backup. So, it all comes down to how secure your PC really is.
The first option is having a dedicated system behind a firewall, with a solid antivirus system and where you do not install anything but updates (and visit no sites). Or use Linux. It is extremely hard to attack Linux systems unless you are a real hacker - and the vast majority of attacks is performed by bots, not humans.
If you are even more paranoid than this, you should consider using Akeeba Backup Professional. You can set it up so that it sends its backup files to Amazon's S3 or DropBox upon completion. This is the safest backup storage method, as the backup file is removed from the server as soon as the backup is complete and no credentials are transferred between your site and your PC.
Regarding the importance of removing backup files from your site, I'd say it's of PARAMOUNT importance. Do you leave your door key under the door mat? If you do, you run the risk of someone picking up the mat, taking the key and entering your house. The same thing goes with a backup file. It contains the keys to your site. If one of your installed components suffers a directory traversal vulnerability, a malicious hacker could in theory exploit this to grab your backup file (or just its first few kilobytes) and extract the database connection information. From that point, it's a hacker's joyride cracking your site. That's why I preach that the safest backup is the one which is stored on three different media BUT NOT on your site. My backups are usually stored on cloud storage, an external hard disk and a flash disk. I never leave them on the server.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!