The help section of the website says
"If an attacker gains access to your operating system, it is theoretically possible for him to modify the locally stored Boxcryptor settings in such a way that the protection feature can be circumvented."
This seems to imply that even if the "Password Protection" feature is enabled the password (or the decrypted master key) is still stored locally. This seems an unfortunate step back in security if I understood correctly that previously the password was not stored at all unless "Remember Password" was enabled.