[q3k]

The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever.

The protection is in the permission system and sandboxing, which is active regardless of the source of the code.

[prophesi]

You only need to pass the app review once, then you're free to deploy over-the-air updates for as long as you'd like. Though you'd need to use a framework like React Native, Ionic, Flutter, etc which supports it. Essentially anything where you can change app code without making any changes to the underlying native code (as that would require going through the app review process again to publish those changes).