Sure scammers could try to pass it off as their own work, bundle it with adware/spyware installers, etc. but what's the point of getting a bogus bundle when you can just download the original for free from the developer's web site?
Note: even "legitimate" download sites like download.com used to be notorious for basically doing just that, and possibly ranking higher than the developer site in search results. They also hosted deceptive ads with large, fake, "download" buttons . The current incarnation seems to have improved in that regard, fortunately.
There are also widely available free 2d and 3d game engines that will run on them.
The problems are more things like form factor, lack of editors, difficulty of getting traction in a massively crowded market, etc.
> 2.4.5(iv): [Apps] may not download or install standalone apps, kexts, additional code, or resources to add functionality or significantly change the app from what we see during the review process.
> 2.5.2: Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps.
The app store is much more concerned with stuff like apps that update themselves to install payloads or change the approved app on a fundamental level.
Microsoft’s CodePush in particular seems like something Apple might decide to block at some point.