Apart from security implications I can see multiple privacy issues here. Apple's services may attempt connections to non-Apple resources as well as Apple's.
My understanding is that trustd (Trust Daemon) will be allowed to report/validate (OCSP? CT?) certificates anywhere issuer points it to, and that nsurlsessiond (NSURLSession Daemon) will be allowed to attempt any connections other Apple processes will tell it to. From what I observed, opening a single podcast in Podcasts.app sometimes results in nsurlsessiond connecting to resources under multiple different domains.
My pessimistic view of today's techworld tells me to follow the money on this and that I might not be able to block in-system ads in some future.
My pessimistic view of today's techworld tells me to follow the money on this and that I might not be able to block in-system ads in some future.