It's an RFC 6960 OCSP certificate revocation check... and it's the developer certificate whose hash is checked, not an individual application cert.
And this only applies to apps that have a developer certificate. macOS doesn't require these certificates be present, but will warn for apps that don't have one. For unsigned apps, there's no certificate, and therefore no OCSP call.
Our machines are (or should be) sending OCSP requests very frequently, even non-Apple devices, since this is also how browsers check that HTTPS certs haven't been revoked.
OCSP as a protocol does have some privacy concerns, but they would apply to all applications of OCSP, including our browsers.