I was curious about the details and did some digging.
"Regardless of the transport protocol used (HTTP or HTTPS), PowerShell Remoting always encrypts all communication after initial authentication with a per-session AES-256 symmetric key."
See my other comment, but a) it encrypts more of the packets, b) helps with validating correct server, c) encrypts even if you end up authenticating without Kerberos somehow.
When using HTTP for remoting, headers are not encrypted. But body is always encrypted when using NTLM, CredSSP or Kerberos - the GSSAPI supported protocols. If user doesn't want to use these and opts for basic auth or some other protocol that doesn't have encryption specified, https is useful.
