Why not specify a password hash instead? And then just check if the hash of the password entered matches the one in the config file? But in the end, if the password is submitted via JSON-RPC/REST as plaintext, packet sniffing on the computer would do the job just as well.
It has to be stored in plain text or equivalent, otherwise the user would have to provide the password every time they ran bitcoin-cli or any other API client. If someone had root access to be able to sniff internal packets, they could also get the password by recording keystrokes.
Authenticating a local service with a shared secret stored in a file with restricted permissions is not uncommon, by the way; for example, the X11 protocol and MySQL (by default) work the same way. On some platforms, including Linux, it's possible to check the peer UID through a Unix-domain socket, but I imagine the developers want to minimize platform-specific code.