I also think writing passphrase to temporary files is really not secure.
Ipc could be a solution, but it is quite complicated (they are binary components, and you have to provide one different for each platform).

In my opinion, a temporary fix would be to call gpg with arguments --passphrase mypassphrase (instead of writting passphrase to a file and calling --passphrase-file).
I sent a patch to firegpg a few weeks ago but I had no feedbacks. (ok, I also made a few others proposals, and my patch was quite messy, may be that's the reason why it was not included).

main part of it was :

function runChromeCommand(chromePath, args) {
    var ioService = Components.classes[NS_IOSERVICE_CONTRACTID].getService(Components.interfaces.nsIIOService);
   var uri = ioService.newURI(chromePath, null, null);

    var realPath = Cc["@mozilla.org/chrome/chrome-registry;1"].
    var file=Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);

   var process = Cc["@mozilla.org/process/util;1"].

    process.run(true, args, args.length);


const FIREGPG_UNIX_SCRIPT = "chrome://firegpg/content/run.sh

var args = [].concat(this.getGPGCommand(), tmpStdOut,
       "--quiet", "--no-use-agent", "--no-tty", "--no-verbose", "--status-fd", "1", "--armor", "--batch",
        "--default-key", keyID,
       "--output", tmpOutput,
       "--passphrase", password,
     "--clearsign", tmpInput);

try { runChromeCommand(FIREGPG_UNIX_SCRIPT, args); } catch (e) { }

It works fine, at least on my linux laptop.