ALL traffic, that flows through the EoC system, is encrypted on the Coax, with a AES algorithm:
G.hn uses the Advanced Encryption Standard (AES) encryption algorithm (with a 128-bit key length) using the CCMP protocol to ensure confidentiality and message integrity. Authentication and key exchange is done following ITU-T Recommendation
This is not just between the endpoints and the controller, but it’s point-to-point. This means that EP1 can’t eavesdrop on the traffic between the controller and EP2.
When the data leaves the coax, the security lies in the VLANs. Here you can implement L2 isolation, so the clients connected on the VLAN, can’t eavesdrop on the traffic as well.