That's not necessarily the case. TLS protects the connection, but by default does not provide authentication. I also see a lot of instances where certificate checking has been disabled, so that the client just ignores a MitM attack. So with TLS it would seem more secure at first glance, but given the implementation blunders here I wouldn't expect any real improvement.

Yeah that's true, I'm totally assuming 'competently implemented TLS' when I say it would protect the connection.