When the native client is started through tlclient.cgi, the password can optionally be transferred in the generated configuration file. By default, /opt/thinlinc/etc/tlclient.conf.webtemplate contains the line:
REMOVE_CONFIGURATION = 1
...which causes tlclient to remove the entire config file (which contains the password) after it has read it. However, if the browser does not launch tlclient automatically, users have the possibility to edit the file and remove the REMOVE_CONFIGURATION line before starting tlclient. This way, they can save the password to the local machine.
Even if the user is not manually editing the config file, the fact that the file is downloaded - and managed - by the browser could be a little problematic. For example, the browser might cache the content one way or another.
One alternative solution could be that tlclient.cgi generates a configuration file which only contains a URL to a web service. Then, tlclient (rather than the browser) would connect to that web service in order to retrieve a configuration file, possibly containing a password. However, for security, some kind of hash or OTP system is necessary.
Also note that having tlclient retrieve the file means that browser related connection settings such as proxy server etc is not automatically honored.