In 2G/3G networks, IMSI is unencrypted in the initial handshake process while the handset gets a TMSI, so it can very trivially be passively observed, but only at specific points in time.

In 5G this is somewhat fixed - the handset uses its Home Network Public Key to encrypt the device-specific IMSI (producing a SUCI) which only the Home Network can decrypt. The MCC and MNC (carrier information) are still sent in the clear to allow the encrypted SUCI to route to the correct Home Network for decryption.