Dovecot has been designed with security in mind. It uses multiple processes and privilege separation to isolate different parts from each others in case a security hole is found from one part.
Additional things you can configure:
Allocate each user their own UID and GID (see System users used by Dovecot)
Use a separate dovecot-auth user for authentication process (see System users used by Dovecot)
You can chroot authentication and mail processes (see Chrooting)
There are some security related SSL settings (see Dovecot SSL configuration)
first/last_valid_uid/gidsettings to contain only the range actually used by mail processes