Notably this is not the first time Apple has issues with checking identities on TLS initial connection. There was a famous bug years ago called "Goto Fail" where MacOS would just accept any signature/identity in certain cases.

Sometimes you just want to shake Apple management and scream: implement. basic. unit. tests. for. security. stuff. aaaaa.