It took me a moment to understand what you're saying, which (correct me if I'm wrong) is that they could just forward the credentials along to the imap server they're proxying for, and not store those credentials themselves.
However, in 2013 it should be clear that it is no way whatsoever safe to just assume that information flowing through a third party's server will not be stored.
