TURN is the fallback path when ICE can't find a direct peer-to-peer route. Both peers connect to the TURN server and the server forwards packets between them. The connection is still encrypted end-to-end, so the relay server can't read the media, but it does carry every byte of audio and video for the duration of the call.
That last detail is why TURN is the expensive part of a production WebRTC stack. STUN is free; TURN traffic is paid bandwidth. The percentage of calls that need TURN is usually small — public estimates put it in the 10 to 20 percent range, depending on user geography and corporate firewall policy — but those calls drive most of the infrastructure cost.
Engineers building a first WebRTC prototype usually skip TURN and discover the gap when their fifth tester is sitting on a corporate VPN with UDP blocked. The fix is to configure a TURN server (coturn is the standard open-source option) and add its credentials to the ICE configuration. The same browser code works; ICE just adds a relayed candidate that succeeds when no other path can.