Actually, 0.0.0.0:* is not an invalid address, as it represent any foreign ip/port combo. My mistake was that I thought it was the local address, not the foreign address. So no issue here.
So its clear-text but we're okay since its not discoverable outside of the computer since its not broadcasted where you can dump the data via wireshark or tcpdump on a separate device. The assumption is that the computer running Enpass isn't compromised. Hard to argue there being that all bets are off once you no longer own your machine.
I have to ask... though I know SQLCipher has been though peer audits... has Enpass itself been audited for security leaks?