Installation wizards typically default to poking holes in the firewall, so the driver can do whatever the manufacturer wants. The user needs to be aware of and capable of using the appropriate settings (often buried deep in a byzantine complex of dialog boxes).
Yes, I know what they do. After I got over Zonealarm, I was using @Guard which Norton bought, added megabytes to its size and dumbed it down so it was not as easy to use. All rules had to be manually entered, I loved it.
On my mac, I use LittleSnitch + VPN ON my iOS devices, its more about ad blocking than anything and I use Weblock + VPN.
As far as Apple HQ getting my info goes… they already have it and trying to block them getting anything else means losing functionality. So they can have whatever they want.