One of the biggest improvements you can make and the easiest to implement is set all clients report encryption to optional and have the root and/or top level relays set up to handle decryption.
One reason to set the encryption to optional is that the clients will use it if they can, but fail back if they can’t. You can eventually switch this to required, but optional is the way to start.
@strawgate I didn’t realize that the default communication was unencrypted between client & relay. I figured it would at least use SSL even if it doesn’t validate the relay using SSL. (self signed)