If it doesn't have any SSL/TLS or only HTTP, not HTTPS, which is more known. Then anyone who monitors the network can see whatever data is being sent, including ISP, governments, NSA, Hacker, or any adversaries you can name.
As far as I know, highly sensitive data may only be transmitted between different parties via extra-secured data channels, and in addition to HTTPS - which is of course mandatory - separate encryption and certificates are also used or, in extreme cases, must even be transmitted offline.
For sure, in an extreme case, if I'm not mistaken either CIA or NSA have a private network which is inaccessible to the world but only between departments. And offline storage is also plausible, that is what some of us have been doing when using cold storage wallets.
To not make the term any data too broad, merely using TLS/SSL(HTTPS) to transmit user personal data to the server(Roobet&3rd-party) is safe enough.