TL;DR – There’s a way to push apps to people that Apple called the Apple Enterprise Program. It’s for enterprises, strictly limited to a business distributing and installing internal iOS apps on their fleet of phones.
The apps don’t have to go through the App Store verification, and are generally assumed to be things like a campus navigation app, door unlocker, or something that the public should never ever see.
Facebook used it a couple of days back to push a monitoring app for teen’s phone usage through Facebook. They promptly were removed from the program and no longer can install apps that don’t go through the App Store on the Apple platforms.
Basically a violation of the ToS, and Google was guilty of it as well on the iSide. No certificate for you Google.
Everyone’s got their certificates back after removing the apps and backdoors to the app store they’d effectively invoked, but Google and Facebook are not the only one according to one developer. (Amazon, Doordash, Sonos, Instacart are mentioned although Amazon’s might not be)
So basically the week of Apple’s security nightmare, they’re waking up to realize there are a lot more attack vectors than they thought.