JRebel is a desktop tool in developer’s machine. It’s not a web application that you could communicate with over network, making the HTTP/HTTPS question not applicable. There is no incoming/outgoing traffic to/from JRebel (except for product usage statistics, which can be turned off).
JRebel data processing details are described here. Immediately after the activation of JRebel, the product will ask if you want to opt out of any data processing. This ensures JRebel is fully GDPR-compatible.
Exception is JRebel’s remote server support. When a developer uses JRebel to update code in remote servers, he is essentially sending parts of his application code over network. If he uses public network, he should use HTTPS connection (which the product supports). Vast majority of JRebel users are not using this feature.
In a nutshell: it’s a software tool whose effect is limited to the work the developer does on his code on his desktop machine. (Compare to for example a text editor, a video player, etc.) It’s not an information system that could be attacked for sensitive data.