How secure is a web request? Using TLS and a bearer token does one still need to assume that the body content can be decoded?
By using TLS (HTTPS), the entire message is encrypted in transit. Only the endpoints of the request (client and server) can decrypt the message.
This is, however, not a truth without exceptions. The security is based on a set of certificates and keys; in some scenarios, it will be possible for a man-in-the-middle attack. This is possible when the client or server is compromised either intentionally (corporate setting where you would want a firewall to see all the traffic) or unintentionally where the client has been compromised by some evil third party. If someone has the server key they would also be able to decrypt the traffic.
The bearer token is also encrypted in transit (both URL and headers are encrypted), but if it is transmitted as part of the URL it will likely end up in logs on the server side.