While I'm sure there's certainly some refinement to be done on how app updates work, Sandstorm explicitly closes the WebView loophole. An app you run doesn't have access to make backend network requests or frontend javascript requests unless you grant that permission. So it's not really possible to build an app that pretends to run on your server but is really just a wrapper for a SaaS.