They do that when they're concerned about bad actors or want to prove out the API first with a controlled set of people who are willing to experience breakage
Not only must you be reviewed by the App Store, but your app will require security entitlements to act as a payment processor. And you'll have to be a registered Apple developer in good standing.
If a malicious actor went through all this trouble to grab some transactions, they'd be shutdown within hours of the scam and Apple would refund the money.
Also, who's going to trust or want to use "Bob's rando payment processor"? No merchant is going to do that.
Not only must you be reviewed by the App Store, but your app will require security entitlements to act as a payment processor. And you'll have to be a registered Apple developer in good standing.
If a malicious actor went through all this trouble to grab some transactions, they'd be shutdown within hours of the scam and Apple would refund the money.
Also, who's going to trust or want to use "Bob's rando payment processor"? No merchant is going to do that.