Thanks. I did look at the FAQ before posting, but I didn't read that entry because the title is a bit misleading. Instead of saying "Could there be a password to restrict access to Joplin?", I would probably say instead "Are my data encrypted?" (or, "Are my data encrypted at rest?" Or "Are my data encrypted when using end-to-end encryption?")
And thanks for pointing out that all notes are unencrypted as well at rest. I would never have guessed that this is how things were implemented. There's nothing wrong with doing it this way, as long as the end user is made aware of this when deciding to implement end-to-end encryption. So, at a minimum, I think that there needs to be strong warning in the documentation and within the application settings that this is the current behaviour when encryption is being used.
Edit: For those who are wondering why encryption at rest is not implement, I suggest that you read this post by the lead develop: Requesting encryption of local Joplin data (at rest encryption) - #28 by laurent