Basically it depends what you call the off-card application, and whether you consider it trusted (or to which extent you consider it trusted).
In a system involving a card application, a mobile phone application, and a back-end server, usually the server and the card application are trusted, anything inbetween isn't (which means communication has to be done ciphered). The card will want to authenticate any incoming data before processing it. In that case the mobile application is not very much trusted, for various reasons, including the shortcomings of mobile OS's security. You need to elaborate a bit more on your use case. What are the attacks you wish to prevent against, and what part of your system do you trust ?
Anyway to answer your question, the private data managed by the card application does not need to be encrypted before being stored, because the storage can be considered safe.