No, they catch that kind of stuff in app review. Lua code updates would be a small part of that. They're asset and IAP content, that is why it's multi-megabyte. It comes from experience.
Can they? For instance in love2d the mechanism for distributing a blob of assets after the fact is the same as the mechanism for distributing a blob of code after the fact. I'm not sure I can rewrite my app to be incapable of loading code from mounted archives, though I could rewrite it to not mount any archives until it's done loading code.
Well they detected it my company when we did it. We had little lua mini-games that you could download, and they rejected the app for it.
If you work really hard to hide it, then you could do it possibly. Like most private API calls are not detected by their tool if you execute it with a composed string based peformSelector: style action for example. And they can't really detect private view manipulation either.
But they can also use plain deduction in using your app. As in, 'this wouldn't be possible unless they are downloading code'. They also don't like finding out about hidden shit that is only revealed once the app is approved.