Reading the code, I found there is one place in GnuPG, where it writes a password into a file. It is removed after use, and its content is overwritten. But, still, it's not a good practice, because there is a little risk about access to the file, or file system.
D550: gnupg: No writing passphrase as a file is a possible patch.