Yeah: what we really want is a way to strictly limit Sparrow's permissions, so they can only see new mail as it is passed in, and maybe only just enough for something like push. However, that's really on Google's end to implement, and I'm not sure just how much interest they have in third party Gmail-specific mail clients.
If that database was unknowingly compromised there could be a lot of fallout. I think that's a much bigger concern than leaking passwords.