I imagine even encrypted messages could be replayed if the protocol wasn't designed against it. It also doesen't say what kind of encryption it uses, it could be a very weak in-house "encryption", for all we know it could be only an unknown encoding.

The thermostat is paired with the boiler, the signals bundle the unique ID’s of each so this won’t happen. Otherwise there would be a risk the original thermostat would do the same.