does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Primary password protects only the stored passwords. It does not protect your emails in the case that someone has already breached your computer.

Thank you. I understand the email itself is plain text and not protected. My question is about the email account credentials.

Without a primary password, the logins.json file contains what appear to be encrypted passwords. But since they can be deciphered without a password (by simply running Thunderbird) they are obviously only obfuscated in some way. Even after enabling a primary password the logins.json file is still exactly the same. This is why I don’t see how any actual encryption has taken place.

A physical breach is not high risk for me, but the simple act of backing up my data (offsite or cloud) could be leaving obfuscated but unencrypted account credentials for a bad actor to find. Credentials that I thought were protected. Whatever algorithm deciphers the passwords could be implemented outside of the Thunderbird program itself.

I hope I’m wrong. Please explain what I’m missing.

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password