When errors occur (like the collection server not responding), Picard shows the error in the GUI's status line, including http requests containing username & password in clear text. I regard this as a double security problem:

Firstly, the username and password get shown for everyone to read in the status bar.

Secondly, even with https requests, apparently the username & password get transmitted over the net in clear text, like in the example shown? (https://username:password@musicbrainz.org/ws/2/collection)