How do you protect cleartext data produced/consumed by Vault EaaS Transit Engine?

Hello,

Below is a screenshot from the website.
How do you protect data in the circled in red part the image below ?

I’m asking this because if multiple nodes exist between Vault EaaS and the Application, MITM seems to be still possible

Or does it mean a point-to-point connection is mandatory between Vault EaaS and the Application ?