On the other hand, use of SFTP in place of FTP is mandatory in this day and age.
You must be kidding. Most SFTP clients suck. The OpenSSH SFTP client doesn't even have the equivalent functionality of the 80's vintage BSD FTP. No SFTP client even comes close to the functionality offered by something like ncftp.
FTP sends passwords in clear; anybody using it is wearing a big red sign that says HACK ME!!!!
Only if they're able to perform a man-in-the-middle attack. At best they have to be on the same physical network segment as you and able to sniff all traffic: hardly a likely scenario in most businesses, or via. the internet. If someone is able to do this, you have bigger problems anyway.
You've got this completely backwards. When using an encrypted protocol, such as SFTP, then a MITM attack may be necessary to see the unencrypted data. In that case, then it would be easiest if they were on the same physical network segment. (Although, careful not to get a false sense of security here. There are many ways to do this, even without physical access.) Fortunately, there are things we can do to detect and protect against those.
With unencrypted protocols like FTP, there's no reason for a MITM attack or any kind of attack at all. You've just potentially saved a future attacker or curious troublemaker a ton of work. You have literally sent your full login information on many separate networks, each of which have many devices connected to them. If anyone is monitoring traffic on any of those networks, your password could just sit in a dump file (along with your login name, your server's IP address and the port your FTP service is running on) until sometime down the road when someone stumbles upon it or scans for it. Unlike a MITM attack, nobody has to even be trying to attack you. There's no practical way to ensure that there isn't a single insufficiently-secured device on any of the autonomous networks that your info traveled across.
If you're using an encrypted protocol, someone usually has to take the time to attack you. If you're using an unecrypted protocol, you're just gambling on whether or not anyone who stumbles upon your login info will find any value in it.