My understanding is that on the fly code loading is still allowed if (1) the loaded code is written in, or compiled to, JavaScript, and (2) no native hooks it can call allow it to call arbitrary native functions by name, which was being misused to access hidden/proprietary APIs that could break during updates. Which makes sense if Apple wants to guarantee "our updates won't get blamed for broken apps as long as our public APIs are backwards compatible."
