Pidgin and Adium are discussed in the guide specifically because they can do OTR. The trouble is that both clients are probably quite vulnerable to remote code execution bugs arising from things like memory corruption. Hence using them might protect you quite a bit from someone recording your IMs, but also expose you to someone who knows about a specific unpatched vulnerability and can send you messages taking over your computer.

The authors of the guide are very aware of this concern and will definitely be considering it further.

>Namely their storage of plaintext passwords in your ~/

Personally, I don't see this as terribly bad. An attacker with physical access can do a lot more damage than just discovering your XMPP credentials, and if that's all they were looking for, they could just replace the Pidgin binary to send the credentials in plaintext to Moldova the next time you launched it. You need full-disk encryption to really not be affected by this.

However, libpurple is a sea of zero-days. It's a library made to deal with input over the network written in C, which is really enough to be damning. There's far, far worse in libpurple than storing plaintext passwords.