Is the traffic from Console to client encrypted?

It's all in plain text; the clients strongly authenticate the identity of the server and the messages from the server to the client are authenticated using a session message authentication key derived from a Diffie-Hellman session key.

However, in GSS2.5 this is one-way, clients authenticate the server based on its public key but not vice versa; the server does not strongly authenticate the clients (clients do not generate themselves strong cryptographic identities and those identities are not propagated forward from client to PreOS and to newly-deployed images). As such, there is only a tiny amount of value in encrypting communications if you have no way to validate the identity of the other party, since all it takes to simply be given the keys to decrypt the data that you want hidden is for an attacker to impersonate a client.

Adding encryption to the link in any future version of GSS is conditional on adding that additional authentication infrastructure - and even more crucially, adding the UI machinery in the GSS Console to manage the trust level of a client and manage that authentication process.