Yep. App Transport Security mandates that you have to explicitly whitelist the domains [0] which you want to access via plain http. This however, has nothing to do with certificate pinning, which the OP was mentioning.
[0] Of course you can use the blanket NSAllowsArbitraryLoads to allow plain HTTP everywhere.
[0] Of course you can use the blanket NSAllowsArbitraryLoads to allow plain HTTP everywhere.