Correct, thanks for helping @AndrewSimard .
Like any SSL encrypted communication, it prevents man-in-the-middle attacks, yes, but not web server logs. The other end (IIS) receives the communication unencrypted and what it does with it it's out of Sparkle control. But web logs are common and useful, and the requested URL is indeed logged. So it's not very secure to send sensitive information in URL because of such logs.
I explain that explicitly in my webinar about cloud services. The part of the video I talk about it is here: https://youtu.be/ZHbDFu8Cbsg?t=1926.
Watch out for more webinars like this by subscribing to the TMS BIZ: Behind the scenes webinar series.