In our project we have android native dependencies from different maven repos, and one of them is our private ftp repo that uses http instead of https. It does not lead to any vulnerabilities because ftp is only accessible from our private VPN, and in other apps we were using allowInsecureProtocol to allow http protocol like this(build.gradle):

Unfortunately expo-build-properties is missing this functionality right now