The SAML metadata provided by UserVoice does not include a public key. So, SAML assertions sent by an IdP are not encrypted (though they may be signed).

Although SAML assertions are delivered to UserVoice over TLS, having them be encrypted prevents the browser (and anything bad running on the browser) from reading the assertion. Also, using encrypted assertions can help to block other problems; for example, see https://shibboleth.net/community/advisories/secadv_20180227.txt for an instance of a security bug that mainly affected unencrypted assertions.

My request is for UserVoice to generate a key pair for its SP, and include that in the SAML metadata, and support encrypted SAML assertions.