A notable exception in the US being for the telecommand of space stations (97.211b).
There's also some grey area around encryption for telecommand of terrestrial craft --- you aren't allowed to "obscure the meaning of the communication" (97.215b), but other sections of Part 97 require preventing access to telecommand stations by unlicensed operators. This has raised questions over whether disallowing encryption is more important than risking telecommand stations being maliciously hijacked.
FWIW there's no conflict there in terms of the cryptography.
A replay-protected, keyed authenticator of plaintext commands (HMAC, etc) is not encryption; it is authentication. In a similar sense you are allowed to put a rolling log-in password on a packet radio BBS, so that passive monitoring will see the password, but as soon as it's revealed, it's no longer useful for additional logins.
There's also some grey area around encryption for telecommand of terrestrial craft --- you aren't allowed to "obscure the meaning of the communication" (97.215b), but other sections of Part 97 require preventing access to telecommand stations by unlicensed operators. This has raised questions over whether disallowing encryption is more important than risking telecommand stations being maliciously hijacked.