I was already uncomfortable with the fact that HSQL wants to store my SSH key password, but thought it should be okay because the key file is on heavily protected storage that I only mount for a few seconds when I need it.
Then I accidentally opened up a session without mounting the storage with my key file, and realized that HSQL or Plink must be caching the key itself! This is not good, and there should be an option to disable that - as well as a warning in BIG RED LETTERS telling users that HSQL will in fact be storing all their secrets.
Looking around for a workaround or alternative software hasn't yielded anything promising...