How can the app review ensure that, say, you don't have a timebomb in your program after which you start sending off private data? Apple doesn't ask for the source code, does it?
They do not do that, nor can they without examining the source very carefully. There have been cases of apps getting through with illegal functionality in.
But then all the app store gives people is a false sense of security. The willingness of people to trust arbitrary App Store apps should be condemned, not celebrated.
There is no way to guarantee that something hazardous could never be hidden in, or downloaded later. There are too many ways of obfuscating your code, even when viewing the source code.
You can limit what the app has access to, and Apple and Google do this.
By regulating the process - and the payment - Apple is able to instantly remove an app as soon as it is found to be malicious and refund anyone who paid for it out of the developers pocket.
But that's independent of the review process. They could do the same thing without a review.
For comparison, the Mozilla Addons review process requires you to provide them a copy of the (unobfuscated) source code. You always have the option of self-hosting, of course.
If you're going to have a review process at all, you should at least add something of value. Either ask for source code (and deal with the backlash) or don't have a review process at all. A two-level review system (one with source code, one without) with appropriate warnings is fine, too.
The app store review process as it currently stands is worthless, useless and meaningless.
