I’m aware that this is because the code does not state to specify “TLS” for the dovecot/imap [user@example.com 1.2.3.4 IDLE] line of output, but I’m curious as to why that decision was made ?
TLS is done by the imap-login process. This process does all the
actual talking to the client. The imap process blindly trusts
whoever invoked it (imap-login), it doesn't authenticate the user
either. Timo didn't want any crypto or authentication code, or to
link against any such libraries in the imap process itself.
Your imap-login process does show TLS and this can be logged in the
log file as well, see login_log_format_elements and the variables %c
and %k