By default, Gmail uses a secure connection (SSL) to check your credentials (username and password), but after that it redirects to a http connection.
Gmail encodes with gzip all the sent/ received data to transfer it faster, but this can be easily unzipped if a network sniffer monitors the traffic.
The https protocol uses more resources on both ends to encrypt and decrypt the traffic, so that's why Google didn't make it the default option.
If you want to encrypt your connection to Gmail, there is a simple option: bookmark https://mail.google.com, and use it instead of gmail.com or install a Firefox extension called Customize Google. The extension also switches Google Calendar to a SSL connection.
This is an useful trick for many sites, including meebo.com or box.net.
Updated: replaced https://www.gmail.com with https://mail.google.com to prevent a warning about the domain name in Firefox.
Create encrypted volumes
Do you trust your computer?
New features in Gmail