I think it also depends what threat model you are defending against. If you are using HTTP Basic Authorization, the clients have to have access to that secret in order to talk to the Munki server. Is your concern that this secret could be leaked to unmanaged devices?
What would happen if a non-managed device got access to download things from your Munki server? Do you have anything hosted in your repo that you need to keep internal only for security, trade secret, or other reasons? If so, basic auth may not be the right choice for you, and as Mike Solin suggested, client certificates are a better way of ensuring only managed devices are able to access the repo.