Yeah, if some outsider can read your PHP source code your entire site is compromised anyway. In that case exposing your password is not your biggest concern ?? I hope that’s an example password and not your actual one. Even though we don’t know where your DB is, you ought to change it if it’s your actual password. By now it has made its way onto lists hackers use to brute force their way into sites.
The WP DB password is assigned to a constant, which is global in scope by its nature. Instead of using a global variable, you could do define('DBAA', 'S(89ydeT5a');
Then when needed $mysqli = new mysqli("localhost","my_user", DBAA,"my_db");
or whatever.
You cannot redefine constants within the same request, but there would be no need to do so for passwords. FWIW, it’s considered by many to be poor programming practice to rely upon global variables. Only to be used when there is no other good option. OTOH, WP makes extensive use of them.