Even if that was part of the threat model, Apple doesn't encrypt bundle resources; only the binaries[0]. Before they got rid of iTunes, you actually used to be able to download IPAs through it to sync them onto your iPhone[1]. The IPA files were right on the drive and could be opened by anyone. The underlying interfaces to do this still exist and you can still get IPAs today using Apple Configurator 2, iMazing[2], or straight off the Apple CDN[3].
This is also why you can't run iOS apps on unsigned macOS - the secure enclave will refuse to decrypt apps unless the currently booted OS is Apple-signed, with the usual integrity protections in place.
Even if that was part of the threat model, Apple doesn't encrypt bundle resources; only the binaries[0]. Before they got rid of iTunes, you actually used to be able to download IPAs through it to sync them onto your iPhone[1]. The IPA files were right on the drive and could be opened by anyone. The underlying interfaces to do this still exist and you can still get IPAs today using Apple Configurator 2, iMazing[2], or straight off the Apple CDN[3].
[0] https://forums.developer.apple.com/forums/thread/13486
This is also why you can't run iOS apps on unsigned macOS - the secure enclave will refuse to decrypt apps unless the currently booted OS is Apple-signed, with the usual integrity protections in place.
[1] https://apple.stackexchange.com/questions/298391/how-do-i-do...
[2] https://imazing.com/guides/how-to-manage-apps-without-itunes
Also, shoutout to iMazing in general, it's a really useful tool for playing around with device backups.
[3] I can't find the citation for this but I swear I saw a blog post that told you how to do this.