Istio and TLS between envoyproxy & microservice attached

If I use Istio as a service mesh, is it a good practice to set up my JHipster registry and my microservices (Spring Boot) with TLS? Or should I force HTTP?
After analysis, it seems that the only place where traffic is not encrypted by Istio in the k8s cluster is between the Envoy proxy and the connected microservice/container, is that correct?

any suggestion?
Is it a good practice to leave http “internally” and switch to https via a reverse proxy (traefik)

Yes, traffic between Envoy Proxy and connected microservice (within the same pod) is not encrypted.
And it is ok to have http internally IMHO.

ok thank you for your opinion