After peeking at it in Mitmproxy, I found out that it not end-to-end encrypted.
Current kb article: http://web.archive.org/web/20240621214336/https://culturedcode.com/things/support/articles/2803605/ Past kb article: http://web.archive.org/web/20201111212426/http://culturedcode.com/things/support/articles/2803605/
This part of the documentation was present in 2020 but removed at some point:
Server-Side Policies
We have policies in place which restrict direct server access to only those employees who are responsible for deploying and maintaining the service; currently, that is 2 people (and does not include our helpdesk personnel). These individuals are bound by confidentiality agreements and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations. Engineers with access to Things Cloud servers are required to use two-factor authentication when accessing the system; this means that even knowing an engineer’s password would not be sufficient for gaining access to our servers.
I don't trust these two engineers. And also, I find it shady that they removed this paragraph.
They have been considering it since 2020. It's not 2024. I postulate that it'll never happen.