Interesting question came up in one of our implementations today. We check isConfidential() in a Filter and redirect people to https in certain circumstances where the response should not be transmitted in the clear. Some requests are transported over the riap: pseudoprotocol. It seems to me isConfidential() should return true for riap: requests, since the internal requests are not transmitted in the clear.
Thoughts? - R