Enabling end-to-end TLS encryption can help keep data in-transit protected from man-in-the-middle and similar attacks.
There are several modes for using mtls in the PeerAuthentication configuration YAML file. Using a spec.mtls.mode setting of STRICT will use the strongest configuration and is considered best practice.
References:
https://istio.io/latest/docs/reference/config/security/peer_authentication/