Emails are sent using the organization's email security settings, if that's what you're asking about. Salesforce's default is to prefer TLS if available, and fallback to cleartext otherwise. You can also step up the security if you're concerned about middleman snooping of the emails during transit (that is, during the time that it is between salesforce.com's MTA and your MTA). Salesforce.com's own network is considered secure, so TLS from the MSA to the MTA on salesforce's side is unnecessary (and they would only tell you how that transfer happens under NDA, since their network topology is propritary and considered IP). TLS between the MTA and the MUA would be the responsibility of the operator of the MTA.

If you need the file to arrive at the destination encrypted (thus readable only by the recipient with the key), you can use the Crypo class to encrypt the contents of the message before sending; only the headers would be readable to anyone without the key. You'll need to determine how you're going to store the public key to be used for encryption (or securely store a symmetrical key), and make sure that the received file is decryptable on the recipient's device (e.g. PGP, RSA, etc). Salesforce.com supports a number of industry-standard encryption schemes that should be compatible with software that is compliant to these same schemes.

As far as I know, you can't password-protect a PDF generated by the system itself (through Visualforce's renderAs page attribute). That means you'll have to rely upon the security I've outlined above in order to ensure that the customer's data is kept secret. I would think that password-protecting the decryption key on the user's device would be sufficient security to prevent a breach, assuming the user chooses a strong password.