There are many different layers at which man-in-the-middle attacks or mass surveillance can happen.
For looking up domains:
Depends on if you're running your own Blockstack node or not. If you're running your own Blockstack (full) node then all your domain queries are local then it's hard to man-in-the-middle or track them (without taking over your machine, in which case you don't have any privacy anyway).
For your data:
We store encrypted data on the cloud providers that you connect and the data is encrypted in-flight as well as at-rest. We verify the signatures on the data with the bindings registered on the blockchain, so it's hard for someone to give you "fake data" and pretend that it came from the author of that data. You also need to be careful about meta-data leaking even if the data is encrypted. Meta-data visibility is an important topic of the design of Gaia, the storage system of Blockstack.