It's not that easy. Even the first question in iTunesConnect explicitly states you must answer "yes" even if you just make use of the built-in HTTPS libraries in the OS. If you start digging into the various guidelines you open a can of worms of recursive cross-references between documents and sections. Nowhere have I seen a statement that says "if you just use os HTTPS, you don't have to do anything". At the very least you may have to consider if you have to submit various annual self-classification reports.
For an app like this I could easily see a serious company deciding to skip the hassle and CYA, instead of potentially taking on a huge legal risk. Would you, as a regular worker-bee developer, be OK with personally signing off and accepting a legal risk on behalf of a large company without involving expensive lawyers to evaluate the validity of your opinion on this legalese? Would that be a responsible action to take?
For an app like this I could easily see a serious company deciding to skip the hassle and CYA, instead of potentially taking on a huge legal risk. Would you, as a regular worker-bee developer, be OK with personally signing off and accepting a legal risk on behalf of a large company without involving expensive lawyers to evaluate the validity of your opinion on this legalese? Would that be a responsible action to take?