Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but might not be encrypted by default. You can choose which additional security measures to apply based on your threat model. For example, you can configure SSL for intra-zone connections to Cloud SQL.
Investigate if replication connection requires encryption.
See: https://www.terraform.io/docs/providers/google/r/sql_database_instance.html#replica_configuration
Most notably, we should support encrypting cross-zone replication connections, see https://cloud.google.com/sql/faq#encryption:
Investigate if replication connection requires encryption.