Specific domains are allowed to use insecure HTTP via an ATS exception.
How it's exploited
Per-domain ATS exceptions (insecure loads, TLS 1.0/1.1, no forward secrecy) quietly re-open the exact downgrade paths ATS exists to block, for the named domains.
Why it matters
Traffic to excepted domains is interceptable even though "ATS is on", which routinely surprises security reviews.
How to fix it
Audit each NSExceptionDomains entry; delete the ones added for long-fixed server issues.
Upgrade the remaining hosts to TLS 1.2+ and remove the exception rather than keeping it.