I think it depends on the app and the entitlements. I would assume apps that request entitlements for system-level VPN apis are scrutinized more than calculators.

And Facebook spies on users and competitors for years despite all the "reviews": https://www.bbc.com/news/technology-47281906

Apple doesn't review apps the way people think it does.

The rules for Facebook, Instagram, and WhatsApp to get kicked out of the App Store are not the same as the rules for other companies’ apps to get kicked out of the App Store.

All they do either way is poke at the GUI and maybe watch the HTTP requests.

The real goal of the review process is to maintain control over the UX, not prevent malware. If you want to see a review process that stops malware read a Linux distribution mailing list.