I really don't see what this has to do with WinSCP, but perhaps I can illuminate things anyway.
As for the MFT: the OS is simply trying to allocate disk space as efficiently as possible. It has no idea whether any particular data is sensitive or not, and the proper tool to address that is EFS
. The filesystem is no less secure because of the choice to store small files in the MFT. Filesystem access controls still apply.
The kind of "security" you seem to be asking about is what the filesystem could do to make it easier to dispose of your hard drive, without worrying about its former contents being readable. NTFS doesn't care about this kind of security because it doesn't matter. At the end of your hard drive's life you'll either destroy it completely or you'll overwrite all its contents with a low-level tool that doesn't care about formatting, MFTs, filesystems, or anything else.
Now let's address key encryption. If you in fact provided a password to puttygen.exe then the key IS encrypted. The fact that quasi-human-readable plain text bits are wrapped around an encrypted binary blob does not change the fact that the binary blob itself is encrypted and essentially unreadable without knowing the passphrase you assigned it. You can test this by opening the private key in puttygen. When opened, puttygen will prompt for the passphrase.
Essentially what's happening is this: there's a chunk of plain text that says
This is an XYZ type of public key:
This is an XYZ type of private key:
The STUFF is the part that's encrypted, not the plaintext bits surrounding it. (Those plaintext bits aren't secret, anyway.) The public key probably isn't encrypted (I don't remember for sure), but that doesn't matter because it's public. The public part is supposed to be widely distributed and doing so doesn't break the security of the authentication scheme. This is because given the decrypted private key, it's easy to derive the public key. However, given the public key, it's essentially impossible to derive the private key. Perhaps some other people have handy links to tutorials on public/private key authentication schemes and PKI if you're interested in learning more. (An internet search would turn up plenty of results, too.)
If you still aren't sure it's encrypted, fire up PuTTY, PAgent, or WinSCP, and try to authenticate with the private key file. You will be asked for the passphrase, which if you don't enter correctly, will cause the decryption and subsequent authentication to fail.