Your Postgres instance cannot be accessed by hosts on the public Internet, but it could in theory be accessed by someone logged in to another PythonAnywhere account if they had access to the password and the hostname/port combination.
It looks like connections to Postgres databases are not currently encrypted. That's something we should change, I think, but I also don't think it's a risk right now -- it's just something we should fix for the sake of completeness. The reason I don't think it's currently a serious issue is that users on PythonAnywhere servers do not have the necessary permissions to sniff network traffic, and the connections are made entirely within our private network.
All that said, I've made sure that providing encrypted connections to Postgres within our network is in our issue tracker with a high priority, because encrypting everything, even within our network, is definitely best practice.