When sodium (lists) or polonium (otrs) delivers an email message (such as mailing list delivery) to a remote server, it does so in plaintext even if the remote smtp server supports STARTTLS (rfc3207).
Expected:
The local exim should be negotiating a TLS connection using STARTTLS (and preferably, verifying the certificate when sending to the Big Players).
I should point out that in addition of mailing lists publicly archived (and staff addresses), we also have password resets, emails with personal information being sent to OTRS or private mailing lists (stewards, checkusers, oversighters, otrs agents...) so, assuming they are using a that also supports TLS smtp, we could have the message protected from the point it enters Wikimedia systems.