frameworks_base/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
      <domain includeSubdomains="true">android.com</domain>
      <trust-anchors>
          <certificates src="system" />
      </trust-anchors>
      <!-- nested config that adds pins -->
      <domain-config>
          <domain>developer.android.com</domain>
          <pin-set>
              <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
          </pin-set>
      </domain-config>
    </domain-config>
    <base-config cleartextTrafficPermitted="false">
    </base-config>
</network-security-config>