The notion that some random app can just spin up a server on localhost without my permission is completely insane. Also, this is why Gatekeeper, and the App Store "walled garden" are good---nothing should get the kind of permissions necessary to run a fucking localhost server that can reinstall a deleted app w/o user interaction!!
As far as I know any desktop app (userland code) can listen on a non-privileged port without permissions, on any desktop OS.
I’ve seen a few programs (like R) run web servers to provide documentation (although, the server only ran temporarily).