This might work for you, but doing this to an untrained, unexpecting, or visiting Apple user on your LAN will make their Apple device experience 1,000x worse.
I run several PiHoles — for guests, DHCP issues the IP of the least-restrictive blacklist (which does allow Apple; just seven rules to block largest always-advertisers).
But also, I don't care about anybody's user experience on my home network, but my own =D
(\.|^)apple\.com$
(\.|^)icloud\.com$
Also, set your Mac's `do not disturb` feature to turn on at 3:01AM, off at 3:00AM == no more notifications
You can then download OS updates directly from Apple's CDN via https://mrmacintosh.com/