That’s what I’m saying though - it is not, because implementing that is up to you. The GQL Server is not going to talk to anyone outside your local network unless you configure it to allow that by configuring the Application as such.
And if you do allow external access (ie. making an App of your own), then you don’t use the SambaPOS Webservice. You use your own, whether that be Apache or IIS or whatever, which you can secure using SSL. Then all communication is encrypted - that is not a role that GQL Server needs to provide.
Forget about RDP for the moment - it has nothing to do with securing GQL, or whether it needs to be secured or not. RDP in the scope of SambaPOS is IMO a hack that happens to work for people. But nowadays, it should be abandoned in favor of GQL Apps. Personally, I have never used RDP with SambaPOS, and now that I have QMX, I never need to use it.