The app's local storage itself can be encrypted with a password via the settings. If you do a backup though, the exported .json file is not encrypted. In fact, you can open the backup file and you can view the 2FA keys there, hence it's not a great idea to leave the backup unencrypted on your phone/computer's storage. It'd definitely be a good idea to VeraCrypt-ify the backup.