Currently, a sysadmin can enable spice_tls, but this doesn't actually enforce the use of secured connections for spice channels. Please add a new qemu.conf option 'spice_channel_default_mode' which maps to defaultMode if none is explicitly specified in the XML. So in addition to setting spice_tls=1, a syadmin could also set spice_channel_default_mode=secure to ensure that spice communication is handled securely. Please see discussion in https://bugzilla.redhat.com/show_bug.cgi?id=904295
I don't use libvirt any longer.