As I understood, usesCleartextTraffic defaults to "true" to allow apps to use cleartext. Apps may optionally specify "false" to forbid cleartext. We changed WebView [1] to honor when this is "false" for apps targeting >= 26 [2].

I don't see why you needed to add that attribute, unless the attribute was inherited from something else.

[1] https://cs.chromium.org/chromium/src/android_webview/glue/java/src/com/android/webview/chromium/WebViewChromiumAwInit.java?type=cs&q=lang:java+f:android_webview+AwContentsStatics.setCheckClearTextPermitted&sq=package:chromium&l=282
[2] https://developer.android.com/guide/topics/manifest/application-element.html#usesCleartextTraffic

Apps that target P will default to disallowing cleartext, and the CTS tests are always built to target the current version. The test started failing when this default policy was implemented.

WebView and Android do agree - another android thread confirmed that the rest of android does not special-case localhost and requires a network security policy to be specified if you want to exempt it (which is preferable to enabling cleartext entirely in real code - just setting it was fine to fix the test here though).