While poking around, I came across this Black Hat presentation from 2015:
To recap a bit, Zigbee offers a Trust Center (TC) Link key that is to be shared only between two devices. However, these researchers found that all devices they tested fall back to the default TC link for initial key exchange, and no link keys are used/supported. (i.e. disconnect between the spec guidelines and implementation). Granted, the presentation is old and it may have cherry-picked results.
I was curious where HE lands in this space. Does HE enforce keys / encrypted links when integrating with Zigbee devices?