Considering this for the local loopback connection: -
It is implemented entirely within the operating system's networking software and passes no packets to any network interface controller.
If two applications on the same machine communicate with TCP/IP using the loop back address 127.0.0.1, will other applications on that machine, such as Wireshark, be able to intercept the packets and view the data being sent between the applications?
As you say, when the communication happens on localhost, no packet whatsoever goes to the external network, so if capture happens, then it must happen on the machine itself.
There are two noteworthy points in that respect:
Capturing on localhost does not work on all OS. Notably, it does not work well on Windows (there are partial solutions), while it works on Linux.
Capturing requires some extensive access rights. People who can capture localhost traffic already have root or Administrator access on the machine, so they can also directly inspect the RAM of the involved process, and generally do what they want with the machine.
Thus security issues related to a localhost connection do not come from traffic capture. More usually, problems come from unprivileged applications on the same machine (running as another local user) which connect to the server. A security-aware local server will usually use getpeereid() (on Unix-like systems) to know who is connecting to it.
