Yep. App Transport Security mandates that you have to explicitly whitelist the domains [0] which you want to access via plain http. This however, has nothing to do with certificate pinning, which the OP was mentioning.
[0] Of course you can use the blanket NSAllowsArbitraryLoads to allow plain HTTP everywhere.
[1] https://developer.apple.com/library/content/releasenotes/Gen...
[2] https://stackoverflow.com/a/48089038/2044952