DTLS integration, probably? It's not in this Editor version, but this should work in 2021. Added a test to say "hey, this is the wrong version" and everything still works the same as before adding DTLS.

Assets/Scripts/Relay/RelayUtpSetup.cs

         }
         protected abstract void JoinRelay();
 
+
+        /// <summary>
+        /// Determine the server endpoint for connecting to the Relay server, for either an Allocation or a JoinAllocation.
+        /// If DTLS encryption is available, and there's a secure server endpoint available, use that as a secure connection. Otherwise, just connect to the Relay IP unsecured.
+        /// </summary>
+        protected NetworkEndPoint GetEndpointForAllocation(List<RelayServerEndpoint> endpoints, string ip, int port, out bool isSecure)
+        {
+            #if ENABLE_MANAGED_UNITYTLS
+                for (int ep = endpoints.Count - 1; ep >= 0; ep--)
+                {
+                    RelayServerEndpoint endpoint = endpoints[ep];
+                    if (endpoint.Secure && endpoint.Network == RelayServerEndpoint.NetworkOptions.Udp)
+                    {
+                        isSecure = true;
+                        return NetworkEndPoint.Parse(endpoint.Host, (ushort)endpoint.Port);
+                    }
+                }
+            #endif
+            isSecure = false;
+            return NetworkEndPoint.Parse(ip, (ushort)port);
+        }
+
-        protected void BindToAllocation(string ip, int port, byte[] allocationIdBytes, byte[] connectionDataBytes, byte[] hostConnectionDataBytes, byte[] hmacKeyBytes, int connectionCapacity)
+        protected void BindToAllocation(NetworkEndPoint serverEndpoint, byte[] allocationIdBytes, byte[] connectionDataBytes, byte[] hostConnectionDataBytes, byte[] hmacKeyBytes, int connectionCapacity, bool isSecure)
-            NetworkEndPoint     serverEndpoint     = NetworkEndPoint.Parse(ip, (ushort)port);
-            m_endpointForServer = serverEndpoint;
-            //TODO Implement DTLS 
-            bool isSecure = false;
-            relayServerData.ComputeNewNonce();
+            relayServerData.ComputeNewNonce(); // For security, the nonce value sent when authenticating the allocation must be increased.
             var relayNetworkParameter = new RelayNetworkParameter { ServerData = relayServerData };
 
             m_networkDriver = NetworkDriver.Create(new INetworkParameter[] { relayNetworkParameter });
         {
             m_allocation = allocation;
             RelayAPIInterface.GetJoinCodeAsync(allocation.AllocationId, OnRelayCode);
-            BindToAllocation(allocation.RelayServer.IpV4, allocation.RelayServer.Port, allocation.AllocationIdBytes, allocation.ConnectionData, allocation.ConnectionData, allocation.Key, 16);
+            bool isSecure = false;
+            m_endpointForServer = GetEndpointForAllocation(allocation.ServerEndpoints, allocation.RelayServer.IpV4, allocation.RelayServer.Port, out isSecure);
+            BindToAllocation(m_endpointForServer, allocation.AllocationIdBytes, allocation.ConnectionData, allocation.ConnectionData, allocation.Key, 16, isSecure);
-            m_localLobby.RelayServer = new ServerAddress(m_allocation.RelayServer.IpV4, m_allocation.RelayServer.Port);
+            m_localLobby.RelayServer = new ServerAddress(m_endpointForServer.Address.Split(':')[0], m_endpointForServer.Port);
             m_joinState |= JoinState.Joined;
             CheckForComplete();
         }
             if (joinAllocation == null)
                 return;
             m_allocation = joinAllocation;
-            BindToAllocation(joinAllocation.RelayServer.IpV4, joinAllocation.RelayServer.Port, joinAllocation.AllocationIdBytes, joinAllocation.ConnectionData, joinAllocation.HostConnectionData, joinAllocation.Key, 1);
-            m_localLobby.RelayServer = new ServerAddress(joinAllocation.RelayServer.IpV4, joinAllocation.RelayServer.Port);
+            bool isSecure = false;
+            m_endpointForServer = GetEndpointForAllocation(joinAllocation.ServerEndpoints, joinAllocation.RelayServer.IpV4, joinAllocation.RelayServer.Port, out isSecure);
+            BindToAllocation(m_endpointForServer, joinAllocation.AllocationIdBytes, joinAllocation.ConnectionData, joinAllocation.HostConnectionData, joinAllocation.Key, 1, isSecure);
+            m_localLobby.RelayServer = new ServerAddress(m_endpointForServer.Address, m_endpointForServer.Port);
         }
 
         protected override void OnBindingComplete()

Assets/Scripts/Tests/PlayMode/Tests.Play.asmdef

         "UnityEditor.TestRunner",
         "LobbyRelaySample",
         "Unity.Services.Lobbies",
-        "Unity.Services.Relay"
+        "Unity.Services.Relay",
+        "Unity.Networking.Transport"
     ],
     "includePlatforms": [],
     "excludePlatforms": [],

Assets/Scripts/Tests/PlayMode/UtpTests.cs

+using System.Collections;
+using System.Collections.Generic;
+using LobbyRelaySample.relay;
+using NUnit.Framework;
+using Unity.Networking.Transport;
+using Unity.Services.Relay.Models;
+using UnityEngine.TestTools;
+
+namespace Test
+{
+    public class UtpTests
+    {
+        private class RelayUtpTest : RelayUtpSetupHost
+        {
+            public NetworkEndPoint GetEndpointButPublic(List<RelayServerEndpoint> endpoints, string ip, int port, out bool isSecure)
+            {
+                return GetEndpointForAllocation(endpoints, ip, port, out isSecure);
+            }
+        }
+
+        [UnityTest]
+        public IEnumerator DTLSCheck()
+        {
+            yield return null; // TEMP
+
+            #if ENABLE_MANAGED_UNITYTLS
+                Assert.Fail("TODO: Implement.");
+            #else
+                Assert.Ignore("DTLS is not available in this version of Unity.");
+            #endif
+        }
+    }
+}

Assets/Scripts/Tests/PlayMode/UtpTests.cs.meta

+fileFormatVersion: 2
+guid: 0a6dfe6148a08af46a8eb5ffbbcf3f09
+MonoImporter:
+  externalObjects: {}
+  serializedVersion: 2
+  defaultReferences: []
+  executionOrder: 0
+  icon: {instanceID: 0}
+  userData: 
+  assetBundleName: 
+  assetBundleVariant: