I expressed my concerns with this months ago to @jason when I first started on the app but was told it's standard practice. I'm with you. Session tokens, no plaintext.
BIP39 mnemonic should be provided to the user and forgotten. The Memo password should encrypt the XPRV for this specific account and should be unlocked on each session.