By default, management traffic between AP and controller is clear text and data through GRE tunnel when control plane security is disabled. With control plane security enabled, management frames between controller and AP are sent inside ipsec.
With remote AP, by default, all traffic is sent inside ipsec.
Note: forward mode also plays a role here. Please refer our user guide from support site for more information.