If you use -k, cURL will skip verifying the SSL certificate of the website you connect to. You are right that the data transfer will still be encrypted, and so you will be protected against someone who can snoop on your network.
The problem arises when you have someone who can actively redirect traffic on your network. They could run what's called a man-in-the-middle attack, and be able to read (or modify!) the data that's being transferred.
In other words: when you connect to https://google.com, there's two parts to the security:
- Is your communication encrypted? (so someone passively snooping can't see what you're doing)
- Are you actually talking to the real google.com? (as opposed to an attacker-controlled system)
Using the -k option (disabling certificate validation) removes that second component of the security (as that's the whole idea behind certificates). Because of the danger of a man-in-the-middle attack, it's not considered secure—but it is still encrypted!