The binary contains http:// URLs to real hosts. Any of these reached at runtime is unencrypted in transit. (XML-namespace URIs are excluded, but third-party SDK URLs may remain, so review which are actually fetched.)
Even with cleartext nominally blocked, hardcoded http:// URLs get pasted into WebViews, shared to the OS, or reused by SDKs with their own network stack, and those paths silently downgrade to plaintext.
Individual requests leak data or fetch attacker-modifiable content over plaintext despite an otherwise secure config.