The network-security-config adds the 'user' trust anchor, so any CA the device user installs (or is tricked into installing) is trusted, a classic MITM/interception foothold.
A user is tricked into installing a "VPN profile" or corporate certificate. Because the app trusts user-installed CAs, that certificate lets an interception proxy decrypt and rewrite all of the app's TLS traffic.
Full TLS interception: credentials, tokens, and personal data exposed to whoever controls the installed CA.
<base-config>
<trust-anchors><certificates src="system"/></trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors><certificates src="user"/></trust-anchors>
</debug-overrides>