Little Snitch could use a 1-click on/off ruleset for blocking all Apple network connections (17.x.x.x) except for the published whitelist of Apple notification servers. That would block most of the real-time phoning home. The block could be disabled manually for security updates. If notifications aren't needed, block all of 17.
I saw this idea implemented in the book "Extreme privacy: macOS devices". The author also provides importable profiles that you can switch between, e.g. to enable/disable security updates. I haven't tried them yet, but I am now more motivated to do so.
