If shady devs can get a malicious app past Apple they can definitely get one past the average user. Does Apple get it right 100% of the time? Of course not. Does Apple get it right far more often than I would? Without a doubt.
Getting a malicious app past Apple in this context might mean as little as getting past a cursory review from a single indifferent employee. Apple has let enough bad apps through that, without further information, my default assumption is that the reviewer is doing little more than checking some boxes.
