YAML files have encrypted password but is on server. Can the combo be used to gain admin access to Grav?
YAML files should not be accessible from outside, if the server is correctly configured.
If that matter is already ok, if someone has access to the YAML files, it means the server is already compromised, admin access is not that much relevant at that point because Admin is just a tool to write files.
The encrypted passwords cannot be decrypted unless with brute force, as the algorythm to store them is one-way.