HTTPS requests completed through the proxy's custom CA, which means the app accepted a substituted certificate, so it does not pin or properly validate certificates, enabling MITM.
The test proxy presented a certificate from a custom CA and the app accepted it: TLS interception succeeded end to end. Any attacker who gets a CA onto the device (or strips validation) reads all traffic.
Proven-in-practice interceptability of your API traffic, including auth flows.
<domain-config>
<domain includeSubdomains="true">api.example.com</domain>
<pin-set expiration="2027-01-01">
<pin digest="SHA-256">base64+primary+spki+hash=</pin>
<pin digest="SHA-256">base64+backup+spki+hash=</pin>
</pin-set>
</domain-config>