They could also just have the kernel do whatever it wants to your program, because they control that too. If you are worried that Apple might tamper with your binaries if given the chance, using an iOS device is pure folly, because they outright control much more important parts of your system (the kernel, the UI libraries, the RNG…).

Why do they encrypt code segment? Signature is essential, of course, but encrypting looks unnecessary.

It's their fairplay DRM implementation that is supposed to prevent piracy.