> I would think making sure outside payment links aren’t scams will be more expensive than that because checking that once isn’t sufficient. Ignoring the fact Apple isn't doing that anyway right now as others have pointed out: There are multiple ways to make sure of that without it costing any significant money, eg hashing all scripts that are served on the link and making sure they're the same since review.

Not that they'd ever do the review to begin with, so the hashing won't be done either, but it's something that could be done on iOS/ipados.

And if you consider that infeasible, you might want to check out current CSP best practices, you might be surprised