diff --git a/.drone.star b/.drone.star
index 34ab845f41..40721e154b 100644
--- a/.drone.star
+++ b/.drone.star
@@ -1477,7 +1477,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
         "PROXY_OIDC_INSECURE": "true",
         "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
         "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-        "REVA_GATEWAY_INSECURE": "true",
         "STORAGE_OIDC_INSECURE": "true",
         "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
         "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
diff --git a/.vscode/launch.json b/.vscode/launch.json
index d00d1d4f4e..06ddad7060 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -21,7 +21,6 @@
                 "PROXY_OIDC_INSECURE": "true",
                 "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
                 "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-                "REVA_GATEWAY_INSECURE": "true",
                 "STORAGE_OIDC_INSECURE": "true",
                 "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
                 "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md
index ec7e032e5d..5dde184e6a 100644
--- a/changelog/unreleased/insecure-options.md
+++ b/changelog/unreleased/insecure-options.md
@@ -4,7 +4,6 @@ We had several hard-coded 'insecure' flags. These options are now configurable a
 
 ```
 PROXY_OIDC_INSECURE=true
-REVA_GATEWAY_INSECURE=true
 STORAGE_FRONTEND_APPPROVIDER_INSECURE=true
 STORAGE_FRONTEND_ARCHIVER_INSECURE=true
 STORAGE_FRONTEND_OCDAV_INSECURE=true
diff --git a/graph/pkg/service/v0/graph.go b/graph/pkg/service/v0/graph.go
index fb0c1c5051..51f5cc6042 100644
--- a/graph/pkg/service/v0/graph.go
+++ b/graph/pkg/service/v0/graph.go
@@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // GetClient returns a gateway client to talk to reva
 func (g Graph) GetClient() (gateway.GatewayAPIClient, error) {
-	return pool.GetGatewayServiceClient(g.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	return pool.GetGatewayServiceClient(g.config.Reva.Address)
 }
 
 // The key type is unexported to prevent collisions with context keys defined in
diff --git a/ocs/pkg/service/v0/service.go b/ocs/pkg/service/v0/service.go
index 1262ccdf11..146561f156 100644
--- a/ocs/pkg/service/v0/service.go
+++ b/ocs/pkg/service/v0/service.go
@@ -161,7 +161,7 @@ func (o Ocs) getAccountService() accounts.AccountsService {
 }
 
 func (o Ocs) getCS3Backend() backend.UserBackend {
-	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 	if err != nil {
 		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}
diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go
index 5b039016ca..c9108a1567 100644
--- a/ocs/pkg/service/v0/users.go
+++ b/ocs/pkg/service/v0/users.go
@@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) {
 
 		ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t)
 
-		gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+		gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 		if err != nil {
 			o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway")
 		}
diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go
index 162ee28437..8b43411034 100644
--- a/proxy/pkg/command/server.go
+++ b/proxy/pkg/command/server.go
@@ -149,7 +149,7 @@ func Server(cfg *config.Config) *cli.Command {
 
 func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain {
 	rolesClient := settings.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient)
-	revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.Insecure) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address)
 	var userProvider backend.UserBackend
 	switch cfg.AccountBackend {
 	case "accounts":
diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
index 7f839ef54f..9dd370118e 100644
--- a/proxy/pkg/config/config.go
+++ b/proxy/pkg/config/config.go
@@ -81,7 +81,6 @@ var (
 // Reva defines all available REVA configuration.
 type Reva struct {
 	Address    string
-	Insecure   bool
 	Middleware Middleware
 }
 
diff --git a/proxy/pkg/cs3/client.go b/proxy/pkg/cs3/client.go
index 91a5c566aa..68f52d2d7b 100644
--- a/proxy/pkg/cs3/client.go
+++ b/proxy/pkg/cs3/client.go
@@ -7,24 +7,17 @@ import (
 	"google.golang.org/grpc"
 )
 
-func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) {
-	opts := []grpc.DialOption{}
-
-	opts = append(opts, grpc.WithUnaryInterceptor(
-		otelgrpc.UnaryClientInterceptor(
-			otelgrpc.WithTracerProvider(
-				proxytracing.TraceProvider,
-			),
-		),
-	))
-
-	if insecure {
-		opts = append(opts, grpc.WithInsecure())
-	}
-
+func newConn(endpoint string) (*grpc.ClientConn, error) {
 	conn, err := grpc.Dial(
 		endpoint,
-		opts...,
+		grpc.WithInsecure(),
+		grpc.WithUnaryInterceptor(
+			otelgrpc.UnaryClientInterceptor(
+				otelgrpc.WithTracerProvider(
+					proxytracing.TraceProvider,
+				),
+			),
+		),
 	)
 	if err != nil {
 		return nil, err
@@ -34,8 +27,8 @@ func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) {
 }
 
 // GetGatewayServiceClient returns a new cs3 gateway client
-func GetGatewayServiceClient(endpoint string, insecure bool) (gateway.GatewayAPIClient, error) {
-	conn, err := newConn(endpoint, insecure)
+func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) {
+	conn, err := newConn(endpoint)
 	if err != nil {
 		return nil, err
 	}
diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go
index c16699f240..0d4b829923 100644
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -189,13 +189,6 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"REVA_GATEWAY"},
 			Destination: &cfg.Reva.Address,
 		},
-		&cli.BoolFlag{
-			Name:        "reva-gateway-insecure",
-			Value:       flags.OverrideDefaultBool(cfg.Reva.Insecure, false),
-			Usage:       "allow insecure communication to REVA gateway endpoint",
-			EnvVars:     []string{"REVA_GATEWAY_INSECURE"},
-			Destination: &cfg.Reva.Insecure,
-		},
 		&cli.BoolFlag{
 			Name:        "insecure",
 			Value:       flags.OverrideDefaultBool(cfg.InsecureBackends, false),
diff --git a/thumbnails/pkg/server/grpc/server.go b/thumbnails/pkg/server/grpc/server.go
index ccc99cbae1..0c905c06e5 100644
--- a/thumbnails/pkg/server/grpc/server.go
+++ b/thumbnails/pkg/server/grpc/server.go
@@ -25,7 +25,7 @@ func NewService(opts ...Option) grpc.Service {
 		grpc.Version(options.Config.Server.Version),
 	)
 	tconf := options.Config.Thumbnail
-	gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway)
 	if err != nil {
 		options.Logger.Error().Err(err).Msg("could not get gateway client")
 		return grpc.Service{}