Hello Alf,
Thank you for your message.
I apologize for the inconvenience, but as I've already mentioned in the ticket, there is, indeed some additional unencrypted metadata transferred between Host and Server or Viewer and Server (only in case of Internet-ID connections), but this data is not related to authentication or remote sessions, so this does not cause any security threats. All data related to authentication or to a remote session is encrypted regardless of the connection type.
However, we do understand your concern - I have forwarded your feedback on this to our developers, so we will try to implement these changes as soon as we can. Sorry once again for the inconvenience.
Please let me know if you have more questions.