The Expo framework runs entirely on the end user's device. It's client-side software and I don't think MiTM attacks are the main part of the threat model. Like with most open source you may want to vet the supply chain and the code you include in your apps but Expo has been maintained for over seven years now and is generally trusted in this way in my experience.