I’ll be accepting user form submissions which will include sensitive data, such ass email, addresses and names. Nothing critical, but nothing that should be allowed to be leaked.
Does cockpit store form submissions in plain text? Can I make sure to harden the forms somehow?
You can hook in the form save trigger and encrypt the form data, take a look on https://github.com/owldesign/Encrypt, as it provides encryption to collection fields.
In general I would ALWAYS do form submissions via https to prevent man in the middle attacks.
Having them encrypted in the db? well…your choice 
@artur, think it may depend on the data being saved and due to GDPR - https://gdpr-info.eu/issues/encryption/
Right, but then I would implement the encryption on db (system) level
I have a special opinion regarding to GDPR but this is another topic 