It can go both ways, but isn’t easier to point and find rogue devs at a doxxed almost global store than a single dev living in God’s knows where?

Not worried about a dev at the app store. More that the whole app store can be compromised and under subpoena and or control of a malicious company. Apple could very well be injecting code into every app on their app store, and no one would know because its proprietary.. This is just hypothetical..