You don’t have to add a network_security_config.xml unless your app needs custom rules (like allowing cleartext HTTP traffic, trusting custom CAs, or disabling certificate pinning for debug builds).
By default, on API 28+ (Android 9 and up), cleartext (HTTP) traffic is blocked unless you explicitly enable it via network_security_config. If your app only uses HTTPS and doesn’t need special exceptions, you’re fine without that file.