In theory you should be able to run untrusted code and be safe if permissions, sandboxes etc. are organized reasonably.

The idea that you can tell if somebody's else code is malicious just by looking at it is flawed anyway and it's been shown many time over.

Plus they still can automatically scan binaries of sideloaded apps (maybe that is what this is about, they automated enough)