Comment by varenc
1 month ago
An iOS "local VPN" could definitely block all traffic to Apple IP ranges. But it lacks the ability to associate traffic with the originating process/framework. Like if, for example, I wanted to only allow iMessage to talk to Apple but nothing else. This is what Little Snitch and other software gives you on macOS/Linux/etc.
But even blanket blocking of all Apple IP ranges probably wouldn't do anything here. As documented, your device sends noise injected image vectors to OHTTP relays and doesn't contact Apple directly. By definition those relays are operated by 3rd parties. So if you consider this type of data "phoning home" you'll need to find the IPs of all of OHTTP relays iOS uses. (or block the traffic that looks up the OHTTP relays).
Apple's "enterprise networking" guide lists 3rd-party CDNs as subdomains of apple.com, which usually resolve to akamai or cloudflare subdomains. This allows those dynamic IPs to be blocked via dnsmasq ipset rules. In theory, they could use similar subdomain resolution for the OHTTP relays.
Since iOS was derived from macOS, perhaps Apple could restore the link between network traffic and process.