That is not correct. It does a live check when presented with a certificate, to make sure that certificate has not been revoked for signing malware. It doesn’t store anything. Apple are not saving information. It’s just an online blacklist check. That’s how OCSP works everywhere, it isn’t an Apple thing. They are using the standard protocol as documented in the RFC.
There is nothing in the plain OCSP that prevents the responder server from logging the request along with the originating IP. Any claims that a particular server doesn't do so is either just an assumption or based on trust alone. This is why OCSP-stapling is preferred against plain OCSP in browsers and also why plain OCSP can be disabled. In this particular case, trustd and other system daemons are known to skip VPN and firewall blocks - so it's mandatory information leak.
