That doesn’t send email in any other way than via postfix so from this instance roundcube can not send mail, i know you hate php, but to be fair I guess you could exploit something written for node in the same way if you have the user account password, the point here is for the OP to workout how the password was leaked and not what coding language was used
As @Joe stated above there are other ways.
Roundcube is not immune to such practices.
and PHP (or any language) is particularly susceptible in part due to its popularity
or totally immune