This is a brief overview of some parts of how our things are encrypted in transit. https://cloud.google.com/docs/security/encryption-in-transit is a good resource to read to know more about how GCP takes care of some things.
Brief overview of our encryption in transit:
We use TLS for all communication coming from outside. Setup either on Cloudflare or on GCP.
Traffic inside GCP is encrypted by default by GCP.
Configuration regarding configuration of TLS at Cloudflare side can be found here.
Traefik uses TLS 1.2+ for all communication it takes care off.