Is the applicationContext encrypted? Or is it simply stored as an unencrypted plist file? Because if it's the latter, I shouldn't be transferring access tokens using that.

The communication between the devices is encrypted, as documented in the iOS Security Guide. I haven't seen any documentation on whether the applicationContext storage location is encrypted, but to be safe you could encrypt the token yourself before queueing it to be sent and decrypt when the other device has received it.