WebRTC mandates encryption — there is no "unencrypted" mode. The mechanism is DTLS-SRTP: a DTLS handshake at the start of the connection negotiates encryption keys, and those keys are then used by SRTP to encrypt every RTP media packet. DTLS (Datagram TLS) provides TLS's key-exchange semantics over UDP. SRTP (Secure RTP) encrypts the RTP payload with AES-128-GCM or AES-256-GCM, authenticates the headers, and protects against replay attacks.
The encryption is between WebRTC endpoints — both peers in a peer-to-peer call, or peer-and-SFU in an SFU topology. An SFU sits in the middle of the encryption: it terminates DTLS with each peer separately and re-encrypts the media with its own keys when forwarding. This means an SFU can see the unencrypted media content, which is necessary for it to route, simulcast and SVC-strip — but means the SFU operator is a trust point.
For end-to-end encryption that goes through SFU without exposure, WebRTC supports Insertable Streams (W3C 2021) and the related E2EE designs (used by Google Meet's E2EE, WhatsApp video, Zoom's E2EE mode). These layer an additional encryption layer on top of SRTP that only the actual endpoint participants can decrypt, with the SFU forwarding opaque encrypted blobs. Setup is harder, but the SFU can no longer eavesdrop.
