With “access to”, I was referring to the ability to obtain rather than having them stored in plain-text. They run almost all of our tech and network infrastructure in the building/department. It’s not too difficult to do a man-in-the-middle attack for them or (I think?) to just plain decrypt some of the https traffic (as they issue the SSL certificates for CS sites including this one). Same argument applies to university-wide IT Services. And the same for corporate networks run by companies (such as all of my previous employers).
The larger point remains we need to be able to trust humans running our systems.