unencrypted if you want to. firefox always allowed a password so it is encrypted at rest. you will have to pry it out of the process memory after the user type the password.
Why can't any code that want's to steal your passwords in firefox's DB just use firefox's open source code to decrypt? Firefox requires no password to start up and access your passwords so why couldn't any other code just follow the same process?
True. They suggest you use a master password, which solves this problem. But if you ignore that it will generate one for you which will only make it a little bit more annoying for anyone trying to steal directly from the offline file.