OCSP is deliberately done with plaintext HTTP, because otherwise it's potentially infinitely recursive. To be clear: Cryptographically this is fine, the OCSP answer itself is signed, so an imposter can't show you a bogus answer (though they could potentially show you an older but not yet expired answer pretending it's the latest they have). But in privacy terms it has negative consequences.
You could in principle fix this (with technologies that were invented later, like OCSP mandatory stapling) or you could use CRLs for everything. But we don't.
When used as Apple apparently did, the effect of OCSP is that any certificates being examined are reported (by serial number, but you can look up the certificate itself of course) to their issuer by your machine each time it checks. This is why browsers like Chrome or Firefox do not do OCSP checks.
Suppose (in a browser) you visit Porn Hub. Well it makes sense that Porn Hub know you visited, but it would probably surprise most visitors if DigiCert (the Certificate Authority which issued their certificates) were told you visited Porn Hub too. Likewise then if you're running some hypothetical porn app, the CA would be told each time on Mac OS apparently.
