FTP is exactly as secure as the network it's used over so internal to the server as WordPress uses it is as secure as that server (and if the server's been compromised, FTP's security is a side-issue)., through a VPN it's as secure as the VPN is and across the internet, anyone who can intercept the packets can read the username and password.

It's basically less secure than plain http as it's not only completely unencrypted but 99% of the time the port number (which can be changed) and the format are so predictable you can set up a bot close to the hosting-provider end and have it process traffic with a simple regex. This is pretty much how hundreds of sites in Italy were compromised a couple of years back.

If you have SSH setup then there are built-in options on Linux/OSX and for Windows you can use WinSCP for file transfer using SCP or SFTP protocols and putty for command line. I also used to find it amusing, when I still used SuSE, that the KDE file manager could also be used for this by typing fish://[email protected]/ in the address bar of Konqueror. I still don't know what that stood for.