As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.

Apple traffic was isolated separately, https://news.ycombinator.com/item?id=46994394

Traffic outside that baseline could then be reviewed closely.