Cordova - XHR Requests on Android work in Emulator, but not on Phones

As the problem disappears if you lower the targetSDK, it's probably the usesCleartextTraffic mentioned by Nidhin Josehp. It only affects Android 8 or newer devices when targeting SDK 28 or greater.

Instead of manually editing the AndroidManifest.xml as he suggest (you should never manually edit it in Cordova apps) you can add this to the config.xml

<platform name="android">
  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
      <application android:usesCleartextTraffic="true" />
  </edit-config>
</platform>

You might need to change your widget tag in config.xml to look something like this:

<widget id="com.your.app.id" version="1.0.0"
xmlns="http://www.w3.org/ns/widgets" 
xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:cdv="http://cordova.apache.org/ns/1.0">

(The addition is the xmlns:android="http://schemas.android.com/apk/res/android")

Try adding android:usesCleartextTraffic="true" to the <application> in the AndroidManifest.xml or as below using config.xml

<platform name="android">
  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
      <application android:usesCleartextTraffic="true" />
  </edit-config>
</platform>

android:usesCleartextTraffic Indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". More info

Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted. When an app communicates with servers using a cleartext network traffic, such as HTTP, it could raise a risk of eavesdropping and tampering of content which is why in latest Android devices, it's set to false by default.