Answer is correct, I just want to clarify a bit more:
“Password protected” in your case probably just means that you have a bootloader password or a user account password. Both would not matter in this case. If you put your drive or partition anywhere else, and it’s not an encrypted partition, it can be read. Independently of user access rights. Any other OS accessing the same drive/partition can literally read everything if it’s not encrypted. Provided, of course, that there’s a file system driver available for the OS.
Windows by default doesn’t have any Linux filesystem driver installed. I’m not sure if that’s still the case when you install WSL. And there are 3rd party Linux filesystem drivers available as well.
But to protect yourself against robbery or a Windows which might in the future include a Linux filesystem driver, you should always encrypt all of your partitions. And when encrypting, use Bitlocker only for your Windows system partition, not for any data partitions, and certainly not for Linux partitions. For Linux partitons, use the integrated LUKS2. Bitlocker on Windows isn’t private encryption by the way, since a recovery key is being uploaded to MS’ servers automatically. That means MS has theoretical access, the US government has, and law enforcement has. As well as any hackers who manage to exfiltrate that key from somewhere. That’s why I’d use Bitlocker only for the C: partition, a 3rd party encryption tool like VeraCrypt for any other Windows partition, and LUKS2 for any Linux partiton.
Just FYI I installed the apk from the github repo (not the google play version) via Obtainium a few days ago and it tried to make a connection to 2 cloudflare IPs during setup of my account. Without prior consent or any mention. So just be aware that there is still some form of telemetry or unwanted connections happening, even though they removed the telemetry flowing to Mozilla’s own telemetry endpoint. K-9 had zero of this, it just spoke with your mail servers and that was it. So be careful and block outgoing app connections by default. I did not analyze the data being sent, just that there were those 2 unwanted connectiins. happening.