Must say that I am quite surprised at the amount of unencrypted information available on the phone. The stock android browser stores saved password in plain text in a sqlite db at /data/data/com.android.browser/databases/webview.db . Yes, although other apps are unable to access the data directory of the browser apps, once root access is granted, they could easily access and transmit it to their server. Other potentially sensitive information include SMSes/MMSes and wifi passwords which are stored in the clear as well.
To be honest, I rarely think twice before installing apps which require root access. Some of these apps include those which are less popular with 100s of downloads. I am starting to realise that this is very risky behaviour. My own app which requires root access now has over 100 downloads as of current. There is nothing stopping me from adding in malicious code in an update to do the abovementioned.
Granted, the entire file/permissions system is based on the linux kernel. However, linux doesn't really face this problem because most of the code is open source. You are reminded time and again NOT to blindly execute code downloaded from the internet and not to run as root unless absolutely necessary. Android on the other hand has a less tech-savvy userbase, the apps are largely closed source, all of which compounds the issue. Perhaps Google does screen apps and remove apps with malicious behaviour before publishing it. From experience, a published app goes live in about 3 hours which seems enough only for it to be propogated to all the play store servers. Maybe, apps are only screened when user make a report. But im sure not going to jeopardise my account to try it out.