Are the subdomain websites WordPress websites? If so, then you would install BPS on each of those subdomain sites. If the subdomain sites are not WordPress sites then BPS will probably apply its root .htaccess file security rules to those subdomain site folders depending on your site architecture. htaccess files are hierarchical / recursive. An htaccess file in the website root folder will apply those security rules to subdomain-folder-1 and subdomain-folder-2, unless you add an .htaccess file in each of those folders, which is recommended.
/.htaccess file
/subdomain-folder-1
/subdomain-folder-2
If you are talking about Network / Multisite subsites then yes they are protected without having to do anything else. The BPS settings in the Primary site protect all the virtual subsites in Network / Multisite sites.