Would it pose a risk to our environment if we configured Node Manager as the “plain” type and set the SecureListener to “false”?
Administration Console users do not need to explicitly provide credentials to connect to Node Manager — the Node Manager username and password are available in the domain configuration and are provided automatically. Refer to Configuring Java-based Node Manager Security for more details.
Therefore only when you use a client (e.g., WLST) would you need to pass on credential information.
The Weblogic Server domain is usually sitting at the back end and is protected by a firewall. As such, it would be acceptable to use “Plain” communication within the domain even for a production environment.
If a secure channel is needed, you need to enable SSL and have proper SSL configuration in place. See Using SSL With Java-based Node Manager for more details.