Everything's connected to the internet, what the OP was talking about was attack vectors and since Transmit is a local app it really isn't one unless your whole machine is compromised, which in that case you're screwed.
There are lots of ways a local app can be compromised. It can read a local config value unsafely which can be influenced by some other app that does talk to the Internet, for example.
There's a reason why airgapping is the only way to secure important systems (and of course that can also have a number of vulnerabilities).
And besides, how do you know it's a local only app if you haven't audited it?
