They do use their infrastructure to connect to Apple Notification Service servers when the app is not used, they do act as a Man In The Middle but in a secure, concise manner (not in a sketchy way). And they conect to their servers for registration and subscription status. You can read a more in depth explanation on their blog
Besides all that I’m not sure if someone who wants to create it’s own implementation of all of this can do it without any apple device; reading jjtech technical explanation (jjtech.dev/…/imessage-explained/) where he explains pypush he mentions the obfuscation process for registering a device to apple servers, here is where pypush somehow manages to convince Apple that the machine is genuine, there is a mention there to some serial identifier stored on a file called data.plist, if someone wants to implement this proof of concept would need to give another serial identifier?