Last I checked, you can access the LDAP directory without a password, and it appears to send info over a non-secure channel.
This bugzilla entry suggests you can use TLS but may not really be relevant:
Bug 16601 – Secure Access To LDAP
This possibly-related bug is still open:
Bug 13832 – run zimbra ldap over ssl
This seems to be the "really important" bug for purposes of this topic:
Bug 15378 – Obviate the need for and disallow LDAP anonymous binds
And note that this seems to be fixed as of GnR.
Also see this discussion:
Disable Anonymous LDAP Browse