Android apps don't trust user CA certificates by default (they only work with web browsers.) You have to explicitly enable this option in app manifest.

Rooting the device enables you to put custom certificates in system store, and bypass this check.

In my experience only a very small percentage of the apps where I look at the traffic using Charles Proxy have the certificates pinned. Usually it's the stock apps from Apple that are all cert pinned.

Same experience for me across a wide category of iOS and Android apps.

I've done a few and always ran into cert pinning issues.

I haven't run into an app I've reverse engineered that didn't have it.

Then you are sampling a very small or a very biased set of apps.