I wonder though it that is a bug in DAViCal too… But I know nothing about that.
No, it’s just a rare configuration that I haven’t seen at other servers/services, but it’s perfectly OK to do so.
Hello,
DAVdroid uses Android’s account manager to store the passwords (see https://www.davdroid.com/privacy/), as recommended here: https://developer.android.com/training/articles/security-tips#Credentials.
See https://gitlab.com/bitfireAT/davdroid/blob/master-ose/app/src/main/java/at/bitfire/davdroid/AccountSettings.kt for details.
AccountManager usually stores its database in /data/system/users/0/accounts.db or something like that (may depend on your Android version and variant).