People are quick to jump to conclusions especially when it comes to China but this is more like a half-assed attempt at a cloud account system than anything intentionally malicious.
I guess the idea would be that you'd have an account on their cloud service and it would cache the Wi-Fi password for you so that next time you buy a new smart home device, the client app can retrieve that password (as apps - at least on iOS - are not allowed to access saved Wi-Fi passwords) and automatically send it to the new device so it can connect to your wifi network without having to ask you to type the password.
How do they send that password? Well, they already have a telemetry channel for other reasons (like syncing the local on/off state of the plug with the cloud so local chances to the plug are reflected in the cloud app) so they decided to just stick it in there even though it's unnecessary and wasteful as the password would not change (and if it does, then the device would lose connection anyway so it would require explicit user intervention to reconfigure).
