According to their documentation:
Networks and subnetworks handle communication between instances and serve as a gateway between instances and other networks. A network is constrained to a single project; it cannot span projects. However, a project can have multiple networks.
From what I understand, as long as the instance doesn't have an external IP address with an open firewall, nobody can connect to it or intercept traffic besides for an instance in my project. So I can send traffic between them without encrypting it. Do I understand it correctly?