Is using Heroku Postgres secure against MITM attacks?
No, Heroku Postgres is not secure against a MitM. The highest risk is running pg:psql
from the command line, since it's fairly easy to get between your laptop and Heroku by using a WiFi Pineapple or similar tools. Getting between your Dynos and the database is much harder. This is possible since Heroku hasn't created a CA to sign their database certificates, thus there's no trust root to use when you're connecting.
I did a writeup of actually performing such a MitM against Heroku Postgres here, please file a support ticket with Heroku saying you'd like to see them create a CA and issue a trusted root we can use to authenticate connections if you care about this.