ATS is globally disabled, so the app may load arbitrary cleartext HTTP and weak-TLS endpoints.
NSAllowsArbitraryLoads=true switches off App Transport Security for the whole app, so any request can silently use HTTP or broken TLS. A network attacker downgrades and intercepts at will.
The iOS app loses its platform-enforced TLS baseline; every connection is only as safe as each call site remembered to be.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>legacy.example.com</key>
<dict><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
</dict>
</dict>