I think there might be another element at play here.
Data is only sensitive when it's pertinent ... For example, if the drone is reporting its position (telemetry), that information is only applicable for that instant. Someone who intercepts it can't do anything with it .. because the circumstance has changed. So, the data, though sensitive, does not need to be protected because, by the time it is intercepted, it is no longer true and, thus, no longer of any value.
Similarly, if the drone were downlinking photos of terrain as it passes over, that info doesn't need to be protected because it has no practical value. By the time they receive the picture, the drone is no longer there. Besides, if they wanted pictures of the terrain, they could just use a Canon SureShot and get their own.
I would expect that a data analysis was done to determine the need to protect the data based not on the information, but on the potential for exploitation.
Applying blanket rules to unique situations inevitably leads to the wrong conclusions.