> Nit: I believe stapling is supposed to fix this issue.
No, even stapled apps phone home. The difference is that stapled apps can still run if Catalina can't contact Apple (e.g., no internet), whereas unstapled apps can't.
Look closely at the Gatekeeper dialog with and without your internet connected.
…wait, what? Why is this designed like that? Surely downloading a revocation list is not that onerous…