Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI) that a questionable certificate was presented, leaving the connection open to being viewed and modified.
Created evolution-ews tracking bugs for this issue:
Affects: fedora-all [bug 1678314]
Thanks for a bug report. The upstream bug had been marked as a duplicate of an older bug there. I'd prefer not to duplicate the work here, also because the upstream changes are not tested yet and because the change requires changes on the evolution-data-server side as well. I'd commit it to the stable version already otherwise.
According to https://gitlab.gnome.org/GNOME/evolution-ews/issues/27, evolution-ews does not validate SSL certificate at all.