Well, as they say, Winbox uses a proprietary protocol that they don't know, hence why the tool doesn't use it.
If someone is hacker enough to try and figure out the protocol, they will end up building a similar tool to the one for the API. So all in all, Winbox is only a little bit safer than the API protocol.
If they figure it out... Your RouterOS password better not be in their dictionary.
To REALLY keep yourself safe, you can always just add the IPs from which you might want to access the router. This is applicable to all protocols - Winbox, API, and also SSH and everything else, and can even be done on per-user basis (e.g. you may make a read-only user that's accessible from anywhere, plus an admin that's only accessible from certain IPs).
(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)