It is recommended to disable client-side caching to prevent the automatic recording of API communications in the cache. The Secure Mobile Development guide can be reviewed for further information regarding the aforementioned caching issue.
It should be noted that the default NSURLCache does not support altering the protection level.
Consequently, this means that all requests and responses will be cached and left unprotected at rest via the NSURLCache, even when the application implmenets Data Protection at the application level.
If the URLCache is required, this can be avoided with a custom NSURLCache subclass, thus storing responses on an SQLite DB file with the NSFileProtectionComplete attribute set.