BEcause t generate blocks, the client needs to know your passphrase - because every block you generate will need to be signed (on the node which you use for forging). If you use a local node, this is safe! If you use a remote node, you must trust it not to log your passphrase and empty your wallet at some point in the future.