The current Firefox Sync (based on Firefox Accounts) still keeps everything client-side encrypted, rooted in password-derived keys and locally generated keys. It never sends the password to the server.
It does, however, download JavaScript served by Mozilla when you log into your Firefox Account, which means that Mozilla can cause your password to be sent to them unencrypted, if they so choose. This in turns means that a disgruntled employee, Mozilla the organization and any government which is able to compel Mozilla the organization or key employees can get access to your password at any time, rendering Firefox Sync completely untrustworthy.
That only occurs when you log into your Firefox Account via the web-based system, which necessarily has to use JavaScript to provide a client. If you log in via your browser, all the code lives in the browser.
Or, if you prefer, you could run a self-hosted version of Firefox Accounts on your own server.
