It depends on how it is done.
No, seriously.
I worked at Apple on Schoolwork for the last few years of my career and saw firsthand how Apple handles data it gathers. As an example, every device was given a unique identifier that in no way identified the user of the device (I mean it was simply a UUID). Additionally, it was tossed and a new one recreated every 11 months.
Because I am inclined to give Apple the benefit of the doubt (your mileage may vary), I am assuming the binary hash they send is intended to protect users from malicious binaries (once their hash is identified of course). And if Apple in this case also rotates the UUID every 11 months, I don't have to worry about them targeting me and my habits specifically (well, not beyond 11 months windows in any event).
Additionally, when at Apple, we had privacy teams walk through things like error logs that our app and framework wrote—making sure there was no PID (personally identifiable information) in the logs. A naive engineer might, in a URL-fetch timeout, for example, log something like, "Timeout for URL request: 'myblog.blogsite.com'". Privacy would ask, "Is it important we log the full URL? Might we instead just log the domain?"