The details will depend on your channel technology.
[ul][li] even if using SIPS and SRTP Asterisk only encrypts the SIP and any non-natively bridged media on a per hop basis.[/li]
[li] whilst I’m not sure if Asterisk supports native bridging, for SRTP, even if it does, Asterisk is man in the middle during the session key exchange, so has access to the session keys. This is true for any SIP PABX or proxy.[/li]
[li] native bridging is not possible if you have a codec incompatibility, any feature enabled that requires digit detection, conferencing, monitoring, whispering, etc.[/li]
[li] generally SIP does not send DTMF as tones, because most codecs will not support that, and tones are vulnerable jitter, etc., but rather sends it pre-decoded[/li]
[li] the telephony events packets that carry encoded DTMF are likely to be shorter than normal voice packets, so one can probably guess when digits are sent and how many without even decoding them.[/li][/ul]
I’d therefore suggest that, if you need to ask such a question about a PABX or SIP proxy, you don’t have the knowledge to properly analyze the security of your system, and should operate it “system high”.
There is a specific logging class for DTMF, so you should be able to turn that off.
Support questions should be asked on Asterisk Support.