This is because on most SAP systems, the standard out-of-the-box installation and configuration for the SLD does not use SSL for communications to/from the SLD.
If you use the J2EE_ADMIN account to access the SLD, then each authentication request that the SLD issues to the client system (the SAP system querying or updating the SLD) will be sent unencrypted.
If the client system responds with the J2EE_ADMIN account username and password (if you put this in the NWA or RZ70) then the username and password are simply combined into a standard HTTP BASIC authentication response (http://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA).
Essentially the username (J2EE_ADMIN) and password are combined into a string like this: <user>:<password> and then encoded (not encrypted) with BASE64.
This will then be sent in the clear (unencrypted) across the network to the SLD.
If you have Java stack full HTTP tracing turned on, you can see the authentication requests and responses and therefore see the password.
If you have a network packet sniffer installed, then you can see the authentication requests and responses and therefore see the password.
If you have a SAP PI system, you should really consider using SSL (HTTPS) for the SLD traffic. Since it is possible to completely bring down a SAP PI system by causing mayhem in the SLD.