Yes, it can be sniffed. It will at least use transport encryption, like TLS. For everything, yes. So you'll only get encrypted data you cannot read. You could attempt a Man-in-the-middle attack on this connection. Unless the app is badly made, this will not succeed.

And then, even if you could look inside, there's another type of asymmetric cryptography going on: the remote attestation itself. Again, if properly designed and possibly backed by a hardware security chip, it cannot be spoofed. This isn't something trivial like a shared secret in an HTTP header.