Some encryption is better than none most of the time. DNS is one of the easiest protocols to attack if not encrypted, but MikroTik already supports DNS-over-HTTPS. That leaves safe time retrieval as the next problem. MikroTik supports NTP, but that's about it.

There are safer ways to retreive time. One of them is retreving time from HTTPS header. For example, GrapheneOS for Android already does it and even has a server dedicated just for that - time.grapheneos.org. There is also Network Time Security (https://datatracker.ietf.org/doc/html/d ... for-ntp-06) and Cloudflare Time already supports it.

There are authenticaiton/authorization key option/settings in MirkoTik NTP client, but I don't know how to use them. Network Time Security uses TCP ports (4460, I think) and MirkoTik routers always use UDP port 123 meant for cleartext NTP traffic. Is there at least some way to change MirkoTik NTP source port? It always forces source port to be 123, same as destination port. That is not necessary.