Full-blown spoofing, ie, being able to generate a 'valid' sui generis GPS signal is effectively ruled out by encryption.
However a replay attack that uses a valid signal received at some other locate re-broadcast at a second place is not affected by encryption. You can imagine lots of clever ways to use a re-broadcast attack to draw a drone off course.
Sure, but one that's almost impossible to defend against it. Any viable defense has to happen on the client side with something like an antenna array to distuingish broadcasts from space from replay attacks, or a clock accurate enough to detect that the broadcasted time is off by dozens of microseconds and thus has to be a replay.
A detailed solution that addresses all of the stakeholder's equities in the PNT space would be welcome.
It is, however, a very long-standing issue that has been addressed by some of the best minds in physics and technology, with many billions of dollars available to them.