No, it is not only for developers using their mobile ads SDK. It is for any application that uses their ads SDK. The result of this is that this application will allow arbitrary insecure http loads by default. They take away a very useful safety net.
Why can'g google be more specific about the domains on which to allow insecure http traffic? Because their SDK loads content from arbitrary ad delivery platforms.
Why can'g google be more specific about the domains on which to allow insecure http traffic? Because their SDK loads content from arbitrary ad delivery platforms.