[kabdib]

You can probably verify the output of the compiler. This takes some effort, and 99.99 and a few more nines of developers don't do it, unless they're stepping through assembly trying to find a bad bug or performance issue.

On the other hand, if Apple is doing transformations on the code you give them (e.g., you hand them LLVM bytecodes or whatever), then the process is harder because Apple's doing the code gen and optimization. Still, you should be able to notice utterly foreign basic blocks and system calls ("hey, when did our app start calling mkdir?").

While I wouldn't discount this as a vehicle for state level actors to distribute malware ("stateware"?), and while we know that in practice this "many eyes" stuff doesn't really work out, this type of tampering would be detectable after the fact, with detection easily automated once discovered in the wild.