Dovecot aligns the password encryption scheme used by the imap client with the password storage scheme used by the server.
Since the default is set to plain text, the client sends the password in plain text (tls tunneled), and the server local storage of passwords is a plain text file.
For minimum protection, just enough to say you are not using plaintext, you can use md5, so the client sends the hashed password and the server's local storage is a plain text file containing hashed passwords.
Last year a GDPR commissioner filed a hefty monetary sanction to a company because they used md5 to store passwords.
Therefore, Dovecot's plain text default, and the md5 option, are both non-GDPR compliant.
To avoid monetary sanctions, Dovecot ought to change how it stores passwords by default.
Please do not ignore this message.