From security point of view I don't see it much different than in previous EE versions.
You need to protect your SDB/XML files.
But is SDB file encrypted, it isn't (seems to be)? Which means it can be used only by WinTech/SafeTech tool.
Please correct me if I'm wrong.
It does not matter if it is encrypted or not. Once you have SDB file, you can access protected disk data using tools that you have mentioned.
In my opinion it's not true, because I have to get WinTech tools (requires grant number to download) and daily authorization code (requires service portal account). If I have encryption key I can use "some other tools" to "read" encrypted disk.
It is not said that getting tech tool and daily code is hard to get, but it’s some kind of protection. Unless, McAfee implements AES in own propertiary way, then the case is simple.
Fortunately exporting recovery information can be restricted to authorized persons.
Don't rely on obscurity in obtaining WinTech/SafeTech/EETech applications, or daily codes.
Protect access to the management console and exported security information.