We run a WireGuard mesh between all of our hosts; once traffic hits our edge, there’s no point at which it goes back out over the Internet in plaintext.
That goes for traffic between apps as well, though you should know that two apps on the same host will be speaking directly to each other (in plaintext) over the host’s local routing. If you want more assurance than that, you can build an image that does TLS or WireGuard between your apps; it’s probably not worth it, but it’s a thing you can do.
For compliance purposes, both traffic from the Internet and traffic between apps is reliably encrypted.