Encryption of SGT-tagged traffic is optional and depends on the switches involved.
Some switches can encrypt and authenticate packets with Security Group Tags using MACsec if they have capable-line cards or uplink modules installed (Catalyst 3560X, 3650, 4500, 6500 and Nexus 7000). Some switches tag traffic but do not have any MACsec capabilities, for instance, the Nexus 5500 and 5600.
As MACsec encryption works on a hop-by-hop basis, the traffic is not encrypted within a switch. This means that traffic could be sent to a SPAN port as an example.
For completeness, tagged traffic over a WAN would typically be encrypted with IPsec, DM-VPN or GET-VPN.
At http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html, the switches that can encrypt SGT-tagged traffic have an ‘SGT over MACsec’ entry in the column marked ‘Inline SGT Tagging’.