Can GET Requests with Spring Rest controllers be intercepted by attackers?

I’m building a Spring app and a React app which also contains Chat functionality. I use WebSocket with RabbitMQ as message broker.

I store the chat history as encrypted messages with AES, and before I send them to the client, I decrypt them. So I’m wondering if someone could “intercept” the GET request and actually see the messages? I use JWT as authorisation, so to get the messages, the user of course has to be logged in. Also is it better to decrypt the messages in the backend or send the key and encrypted messages to be decrypted in the frontend?

I know it’s better to use a hybrid of AES and RSA, and to send the private key with SSL, however, this is just for a bachelor thesis so writing about it in the report is “good enough”. I don’t have enough time to implement the hybrid version. I do however want to keep the chat the most secure I can.

So really my questions are: Can GET requests be “captured” by attackers even when you have to be authenticated to call the requests, and since I have to use symmetric cryptography, is it better to decrypt the messages in the backend or sending key and encrypted messages to frontend?