Yes, the assembly decrypts the password. It has to, for the obvious reason, which you state yourself.

It does it using Marshal.SecureStringToGlobalAllocUnicode. Though that's a technicality, that does not really matter.

I'm unclear on the best way to securely give the SFTP account password to the .NET Assembly session object.

The documentation (https://winscp.net/eng/docs/library_sessionoptions#securepassword) seems to imply we just set the session’s SecurePassword field to a PowerShell SecureString. I can do that, but our SFTP server doesn’t know anything about PowerShell or SecureStrings. How does the server get the clear text password?

Is is the .NET Assembly somehow able to decrypt the SecureString to a clear text password? If so, how does it do that?

And if the .NET Assembly can decrypt the password, does it zeroize/erase the clear text password from memory after sending it to the SFTP server?