From the official Android documentation, it's clear that apps that target API level 24 or later do not trust User certificate authorities (CA). Therefore adding a root CA to the user CAs in settings should not change the behavior of an app that has not overwritten the network security config.
Our Xamarin app has a network security config that has not added/changed the <trust-anchors>
tag:
<network-security-config>
<base-config cleartextTrafficPermitted="false">
</base-config>
</network-security-config>
...and yet when we install a user CA in the OS settings, the app will trust it for the connection to the back-end services.
Edit: We've used apktool to reverse-engineer the final APK and make sure that the generated manifest is still pointing to the network security config with the expected content, and indeed it does so it seems no problem there.
Is the Android documentation inaccurate?