On the machine itself, it is difficult to access the database files if SQL Server is running. But if you have made your inroads to the machine so that you have permission to access the files, you are likely to have permissions to kill SQL Server as well.
If there is a backup tool that uses the VSS service, VSS can instruct SQL Server to freeze the database, so that the backup tool can take a consistent backup of the files. (Such backup tools work on volume level.)
If the database is on a SAN, the SAN administrator can take a shadow copy of the entire volume. Note that the SAN administrator does not need access to the machine where SQL Server is running.
Once you have the MDF files, there are no problems to read it. The easiest way is of course to attach it to an SQL Server instance, but the file format is not exactly a secret,
And, yes, by default, the data is stored unencrypted. You can apply TDE, Transparent Data Encryption to encrypt the files. With TDE, only stealing the MDF will take you no where. Then again, if you have access to the machine, getting the keys are not that difficult. (But for the SAN admin, there is now an uphill battle.)