Huh? It hashes the binary and phones home doesn’t it? Go compile anything with gcc and watch that it takes one extra second for the first run of that executable. It’s not verifying any certificates
When I first run locally-built software I tend to notice XProtect scanning each binary when it is launched. I know that XProtect matches the executable against a pre-downloaded list of malware signatures rather than sending data to the internet, but I haven't monitored network traffic to be sure it is purely local. You can see the malware signatures it uses at /private/var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.yara if you're curious.
