The security implications of only allowing codesigned code to execute is completely divorced from the decision to control what content is allowed on Apple's storefront. The former limits what's on your phone, but does not make any judgement about the content. The latter makes a judgement about the content, but doesn't limit what you can run on your phone if you can find some other avenue to run stuff (e.g. self-signed with a dev cert, or web apps).