It’s pretty common for apps to load some external content from a server to show to the user. This is useful in part because it allows you to update the content without going through the slow app review process. Potentially, if your backend got hacked, the hackers could change this content.
You can definitely serve content like that from your server and have the app render it (no website required). The review process would not block that.
You could also serve a change like this with an OTA update, again no app store review required, which ios and android allow (as long as you don't fundamentally change the app, and even then they could only catch that retroactively.
Not sure if they'd care if you load it in a webview as long as the UX wasn't substantially different. I seem to recall getting bounced to web auth flows pretty often.
