App Store apps in general have significantly fewer ways to be “truly malicious”, and App Store review is somewhat more stringent than Google’s process from what I’ve heard. However, run-of-the-mill tracking SDKs are commonplace on both stores.
Both stores use automatic detection for malware, the manual testing used by _both_ store is mostly there for business reasons in my experience.
Google used to be laxer about what you could do with its APIs, but it has started to become way stricter one or two years ago.
It always cause some drama in the dev community when they stop apps from misusing an API (even if the misuse was not shady) but it is mostly for the best.