(no title)

I'm not sure what you mean, I just added a new Gmail account to test and it went through the normal OAuth flow. I didn't have to enter any password into Thunderbird itself, just the Gmail OAuth popup.

Thunderbird supports using TLS client certificates or Kerberos as alternatives to a password for IMAP access.

When you do choose to store a password locally, it's stored encrypted using a second password of your choice.

Since the end result of an OAuth login is a "token" (password...) stored on your machine, I think the difference is pretty marginal either way. But I do hear they're working on OAuth-for-IMAP support. If it were more standardized they probably would have implemented it sooner.

Some email providers support oauth. For some of those (Microsoft and Google), Thunderbird does support the oauth flow. However, how you connect oauth to email is not really standardised, so my understanding is even though "it's all oauth", these implementations are a lot more vendor specific than you'd expect.

Also the need for the email client to have a relationship with the oauth provider is probably a discouragement for some of the smaller email providers to move to oauth.

Some providers actually need a password. Not everybody supports OAuth -- Thunderbird does, and can use it when it's available.

As far as I know there are only two email providers that support OAuth: Gmail and Microsoft. Each uses their own standard to do it, but both are fully supported in Thunderbird with no passwords stored locally.