Thank you! It is definitely a misinterpretation. Apple makes https mandatory now and there is no way every developer would have to go through this process.
Why do you say there's no way? This is US law, not Apple's policy, and US law is fully capable of being that dumb. (Whether Apple allows developers to lie to Apple and violate US law is beside the point.)
Debian's archive software used to send an automated mail to the US government every time a new package is accepted, just in case it involves crypto:
(Looks like the government told them "Okay, okay, we don't care" at some point, but that was what they determined their legal obligation was after consulting with lawyers about what the law actually said.)
If you are pulling through http and http only, yes. If you are using HTTPS, you are encrypting the requests that may contain arbitrary amount of data and the exception doesn't apply to you anymore.
Debian's archive software used to send an automated mail to the US government every time a new package is accepted, just in case it involves crypto:
https://github.com/Debian/dak/blob/master/templates/process-...
(Looks like the government told them "Okay, okay, we don't care" at some point, but that was what they determined their legal obligation was after consulting with lawyers about what the law actually said.)