The admin credentials shouldn’t be stored in the .env file ideally, they would usually be stored in the database. Once you have the CMS up and running, you should create some admin users (their details are encrypted in the database) and remove the default details from the env.
The database connection details are stored in the env file, yes. This is quite normal for any web application, not just Silverstripe. Some store them in a PHP file, some in XML, some in the environment. Without these connection details the site wouldn’t be able to work.
You can avoid using the .env file if you set the relevant values in the server environment (in the host configuration for example). But they do need to live somewhere.
The most important sentence is this:
This is completely true, but again, it’s not a Silverstripe-specific thing. Whatever code you are using, if someone has access to the files on your webserver, then they can do bad things. (Not just gaining access, but installing malicious code, etc. too). You should be extremely careful about securing access to your websites files.