Yes it is ridiculous that an internet query is in the path of starting a local app for the first time in X hours. If it has to be done, it could be done in a daily batch for all apps when the connection is idle, and on install. Using bloom filters to check for recent invalidations would be even better.

How many false positives are possible with bloom filters? In the described use case, you don’t want even one.

A positive on on the bloom filter is just an indicator that you do the bigger, more expensive (and privacy-reducing) check, like an encrypted OCSP query for that specific certificate. It's not the final verdict, specifically because of the risk of false positives. Bloom filters are a way of making it so that you don't have to do that bigger, privacy-leaking query every time.