If someone gets your RDF file *and* your Master Password, they will *not* have a 'list' of your passwords, but they will be able to generate them, so, yes, *effectively*, they have all of your passwords.
I've been encrypting my RDF file when emailing it, but I'd sure like to see a hook into GPG or something similar to encrypt it all the time...