Again, app design and data privacy and data integrity and information security are each immense topic areas.
i’d get your data model and your app structures and server requirements sorted first.
As for some hypothetical breach, either you notice the security issue with the app or with your backend servers and ask Apple to pull the app, or to provide and quickly update the app, or whether Apple noticies and pulls the app. What notices get sent if Apple detects a security problem with an app and pulls it, I don’t know.
What detection and debugging and telemetry you might incorporate into the app and into the backend servers (if any) to detect potential corruption or compromise will vary by local requirements and exposures, as well.
If app development itself is more generally unfamiliar (and that as might be inferred here), there are app development classes and software development programs around, though coding schools and boot camps and even colleges can all be a mixed bag. Some are good, and some are little more than student loan debt creation schemes.
Past what Apple encourages with connection security and privacy and related topics, you will want to avoid having sensitive data, will want to get rid of sensitive data, and to store data appropriately and only for as long as necessary. What you don’t have can’t be compromised.
What’s sensitive and what is protected and what is problematic or criminal or what can lead to personal injury or worse can vary by a user’s own situation or country or region of residence, too.
An app that might process or transfer money (potentially including KYC and AML regulations, PCI requirements, etc) or passwords or health data or such obviously has larger security exposures and risks than might a solitaire app, and apps with exposures to cheating or fraud require more thought and more effort than does a painting app. Which is a lot of words for “it depends”.
Don’t have and don’t keep data you don’t need, encrypt what you must have, don’t create your own encryption scheme, timezones and addresses and names are all much more complex and much more subtle than most realize, networks can and will inevitably fail in the most annoying ways and at the most inopportune times, client devices and client connections can’t always be trusted, devices get lost and passwords get forgotten, etc.
TL;DR: This whole area is immense and sometimes subtle, you’re headed toward consulting time with somebody with experience in app and/or information security design, or toward hiring developers with experience in the areas needed, or toward a combination.