> This is the standard practice in iOS apps.

Pretty sure you’ve got your wires crossed here - you absolutely do not have to submit source code to put your app on the App Store.

iOS app binaries are submitted to the App Store, not the source code. Malware is detected via static analysis of the byte code (and presumably some runtime heuristic analysis) but it isn’t perfect.

For the most part, the main thing that I’m aware that static code analysis detects is using non public APIs. Most of the malware protection comes from IOS’s sandbox.

iOS does not involve sending your source code. This involves ensuring your app runs in their Hardened Runtime and is properly signed. Apple checks that there is no Malware.