As secure as an MPLS network might be, unless you use encryption, there is always the possibility that your data can be tapped in transit. No one like to think about this, but you should.
Using SD-WAN simplifies the encryption process while improving the level security via automated encryption key changes at intervals you specify, depending on the SD-WAN provider that you are considering.
While MPLS is inherently private, the network and switches the MPLS circuit travels is not. The Provider Edge Router is shared with many customers. Most carriers provide security from “outside” attacks, such as the Internet or connected VPNs. But what about an “inside” attack, where an attacker has logical or physical access to the core network. Any network can be attacked with access from the inside. While I am not aware of any MPLS attacks have been made public, it is not out of the realm of possibility. Then there is BGP spoofing to think about.
Protect your data in transit: encrypt your MPLS traffic.