Security Ninja uses the file /wp-content/uploads/security-ninja/outdated.dat
file about outdated plugins in the public wordpress.org
Nothing is stored about which plugins are activated on -your- website. When the plugin runs a check, it loads the list from the file and does a quick compare to the plugins you have installed on your website at the moment.
The contents are not stored in the database. This is to keep down the database size of your WP installation, loading the content of the file takes a fraction of a second. Keeping a list of thousands of outdated plugins in every WordPress installation, that will never get installed just for reference is a waste of database resources vs. a single file.
This solution is a fast method that does not take up unnecessary resources/space.
Having problems with the file? Check out the known problems with the vulnerability scanner.