Cool. Hopefully you’ll be using HTTPS in production 
You can also set specific domains that are allowed under clear text if you don’t want it wide open.
Here is a reference - Unable to carryout HTTP post on Android - #2 by twestrick
EDIT: Also, if you use live reload with ionic cap run it auto adds clear text to your config temporarily as it runs as dev and not prod.