F-Droid builds all of their apps from the publicly released source code. There's no reason why Google couldn't do the same, at least for apps hosted on well-known coding/review platforms like GitHub.
That's a good point. Is there some kind of time lag between the builds and the repo updates? If there's not time for anyone to check the code then the door is still slightly open for malicious code to enter the store without scrutiny.