If they're using standard TLS, the actual data encryption is symmetric, so the encryption keys are the decryption keys and must be in memory during the encryption process.
If it is TLS you can get the keys used in the session from lsass’ memory. I’ve even written a tool to do so in PowerShell https://gist.github.com/jborean93/6c1f1b3130f2675f1618da5663.... This will generate a log file that contains the keys needed for Wireshark to decrypt TLS traffic.
My claim is it's not standard TLS or there's an additional layer (external encryption key) because an actual decryption of telemetry traffic has never been demonstrated.
I'm not sure that actually holds — the encryption keys are in memory, but the decryption keys don't necessarily have to be.
The pre-encrypted payloads definitely are in memory at some point; however snatching them probably involves larger-scale reverse-engineering.