There is a good explanation of content protection here: Enable Content Protection through policy
though it is slanted towards BES IT Policy settings.
Putting in a strong password does provide robust protection, probably sufficient for most people, but that alone does not encrypt content. Some one who is able to dump the memory (a very high bar to hurdle) would be able to read email, contacts, most application settings, etc.
BTW while communications between the device and BES are always encrypted, between the device and BIS they are not encrypted (except for GSM encryption over the air). The latest material I've seen from RIM is rather specific on this point.