The CNP 0.4 specification uses raw TCP/IP as the default transport protocol. That means that all requests and responses can be intercepted and possibly modified by man-in-the-middle attackers.
Ideally, CNP would always use TLS for its connections. The underlying protocol can remain otherwise unchanged.
This would result in increased security and privacy, but potentially create several new problems. For example, use of compression may leak plaintext from the encrypted tunnels. Additionally, establishing TLS connections is more expensive than plain ones, since they require a TLS handshake. This may result in significantly worse performance on very high latency connections.
TLS also requires the use of a signed certificate. Thankfully, Let's Encrypt now provides these at no cost, so this requirement is not as prohibitive as it would have been a few years ago.
See https://istlsfastyet.com/ for more information about TLS performance impacts.