NSAllowsArbitraryLoadsInWebContent lets any page inside your WebViews load over HTTP. Injected script in that plaintext page runs inside your app's web context.
Why it matters
In-app web content becomes attacker-controllable on hostile networks, enabling credential phishing with your app's chrome around it.
How to fix it
Serve all in-app web content over HTTPS and drop the exception.
Validate and pin the origins your WebViews are allowed to load.