Encrypting payload sent to server GTM and decrypt it with a custom client template.
Very simple “encryption” with base64 works really well because it is natively supported in GTM client api.
Really effective encryption is harder. Maybe with a custom decipher method used on frontend and GTM.
For my use case base64 is totally fine.