...This will be safer for vpn passwords and other private data...
If you not protect the rb with protected-routerboot,
anyone can access actual config using netinstall with "keep old config" set (all files inside are lost)
upgrading to, for example 6.47, to new password databas version and netinstall again for downgrading to, for example, 6.40 to non-existant-database.
this clean admin password and you can gain ful access and export any password as cleartext
also exist some tools to start routerboard on ethernet boot and it display all file contents on LAN, including system files, like is one shared folder.
I'm Italian, not English. Sorry for my imperfect grammar.