Developer on appear.in here: Everything between peers is encrypted using SRTP end-to-end by default. From our FAQ:

"All communication between your browser and appear.in is transmitted over an encrypted connection (SSL). Video and audio transmitted in the service is sent directly between the participants in a room and is encrypted (SRTP) with client generated encryption keys. In some cases, due to NAT/firewall restrictions, the encrypted data content will be relayed through our server."

What about the text chat messages?

At this point in time, all chat messages are relayed through our server. These messages are sent over an encrypted socket to our server, then relayed. This means that we do have the ability to read the messages (they're not encrypted), but we do not store them, read them, or in any way allow your privacy to be compromised knowingly.

We have strict access controls to the server, but the messages are sent via Amazon. We realise that this is not ideal, and we want to, when the DataChannels API has matured a bit, move message sending to a strict P2P model as well. There are some issues with that (total ordering of messages for one) which need to be solved first, but we're positive that those challenges can be solved.