It's not about trust that they aren't doing something malicious, it's about trusting them to provide the level of attention and work required to keep something very secure.
A kernel and the core OS capabilities are a high security domain and I expect Apple to be extremely careful and put a lot of attention into making it secure. Desktop applications are a different domain where security is not quite at the same level and Apple will not and can not provide the same level of security for all of them that it can and does provide for the base OS.
As a simple example, compare Safari and the OS. The domains in which they operate make it extremely hard, if not impossible, for Safari to have the same level of security as the OS and kernel because the use case of Safari opens it to far more attack vectors.
Does anyone believe that exempting all Safari traffic from firewalls would be a good idea? If not, then why should we accept that it's a good idea for some arbitrarily set of other Apple applications?
The issue here is simple, it's the same as it always is with Apple. There's a choice to do the thing that's slightly more complex and requires users to provide even a minimal amount of input that they might have to think about ("An application is attempting to change the traffic flow required by X service, if you allow this it may cause problems with this service. Yes/No?"), but instead they opt for "Users must trust us implicitly and entirely in everything we do", which is their go-to solution. It all comes back to control, does Apple control the user, or the the user control their software? Apple has built their empire around the former, so while we can't expect the latter without if being forced on them, that doesn't mean we shouldn't.