If it doesn't have any SSL/TLS or only HTTP, not HTTPS, which is more known. Then anyone who monitors the network can see whatever data is being sent, including ISP, governments, NSA, Hacker, or any adversaries you can name.
As far as I know, highly sensitive data may only be transmitted between different parties via extra-secured data channels, and in addition to HTTPS - which is of course mandatory - separate encryption and certificates are also used or, in extreme cases, must even be transmitted offline. I don't know exactly what this looks like at Roobet, but it would of course be very interesting.
Maybe end to end encryption channels are used but if the government are interested in having those data they will impose many restrictions in order to have that data but i think Roobet has previously also stated that your data is safe with them and not shared with anyone.Security protocol must be followed but we should be careful at our end also.