In my app, APIs provide the domains for images and videos during runtime and I need to allow these connections to be made. Using NSAllowsArbitraryLoads seems to be the only satisfactory thing I can do right now, but I would like to take advantage of ATS and only whitelist this short list of domains provided at runtime.
According to the App Transport Security Technote, all of these domains are set in the Info.plist, which is copied at compile time. Is it possible to allow HTTP or loosen TLS requirements during runtime for requests to these specific domains?
No, the ATS policy is defined at compile time. My guess is that it may be so that it becomes part of the signed application package and can't be tampered with.
In your case allowing insecure transfers generally wil be required. If the API endpoints you use support TLS then you can specific those domains as exceptions that require security in the policy file.