Streaming replication is at least as secure as normal user connections to PostgreSQL.
Replication uses standard libpq connections, so we have all the normal mechanisms for authentication and SSL support, and all the firewall rules are similar.
Replication must be specifically enabled on both the sender and standby sides. Cascading replication does not require any additional security.
When performing a base backup, the pg_basebackup, pg_receivewal, and pg_recvlogical utilities will use the same type of libpq connections as a running streaming standby. You can use other forms of base backup, such as rsync, though you'll need to manually set up the security configuration.
Standbys are identical copies of the master, so all users exist on all nodes with identical passwords. All of the data is identical (eventually) and all the permissions...