I haven’t tested your chaincode. But as far as you invoke with clear username password, they will be kept in the block as
chaincode_proposal_payload. Inside it all input arguments are encoded in base64. Therefore it is possible to decode them. It is true that the RWSet from endorsement will be encrypted per your chaincode.
I suggest you fetch a block keeping the transaction of invoking signUp(), and search for the input fields. Then you should be able to see the clear arguments.