[Borealid]

Thunderbird supports using TLS client certificates or Kerberos as alternatives to a password for IMAP access.

When you do choose to store a password locally, it's stored encrypted using a second password of your choice.

Since the end result of an OAuth login is a "token" (password...) stored on your machine, I think the difference is pretty marginal either way. But I do hear they're working on OAuth-for-IMAP support. If it were more standardized they probably would have implemented it sooner.