I experimented with ROCK on an old HP desktop 2 or 3 weeks ago. When I used the Roon app on an Android tablet to get music from Roon server on ROCK, I don’t recall being asked for id/password. (I do recall being asked, the first time, to switch a license from my old HP/Windows system to the HP/ROCK system.) Maybe I’ve forgotten being asked for and supplying id/password, but I don’t think so.
Now, about optimizing sound quality as the main purpose. Good as far as it goes. But if something is running on a general-purpose OS, an OS that could do all kinds of things, security in a server under that OS cannot be dismissed. An program, like Roon server, when it runs on a general-purpose OS, is using all kinds of code (think DLLs, not to mention kernel functions) about which the program probably knows very little. So that program has to be sensitive to security issues. And finally, remember that Roon server isn’t just dealing out music files; it’s accepting commands about what to play, about information to put into its database (tag information, I guess), about how to play music (upsampling and filtering, I think). Roon server in a general-purpose OS is being told how to behave, possibly by a Roon app on a different system (eg, tablet). Buffer overruns, for example, are a classic exploitation of a command interface. I do not say that Roon server is vulnerable to buffer overruns specifically, but I am concerned that Roon server might be vulnerable in some way or another.