See this culled from the RFC (4364). I think it explains it.
VPNs of the sort being discussed here, even without making use of
cryptographic security measures, are intended to provide a level of
security equivalent to that obtainable when a layer 2 backbone (e.g.,
Frame Relay) is used. That is, in the absence of misconfiguration or
deliberate interconnection of different VPNs, it is not possible for
systems in one VPN to gain access to systems in another VPN. Of
course, the methods described herein do not by themselves encrypt the
data for privacy, nor do they provide a way to determine whether data
has been tampered with en route. If this is desired, cryptographic
measures must be applied in addition. (See, e.g., [MPLS/BGP-IPsec].)
Security is discussed in more detail in Section 13.