I'm not sure if they still do this, but Facebook used to ship both code paths in the app binary for new launches, and give Apple instructions on how to test both code paths (e.g. sign in with this special user/pass combo).

So they weren't changing app functionality after App Review approval; it's just that for users some of that functionality was gated on a boolean that was fetched over HTTPS.

Putting code behind a feature flag seems entirely fair and a good idea for developers of any size.

It's also a thing that can easily affect small developers; if your app requires logging into some existing paid account (enterprise software, a bank's app, etc.), the available features depend on what features the account has paid for. So as part of the review, you send Apple credentials for a test account that has all the features enabled. (Without a test account, they couldn't log in at all.)

Are there any sites that document Facebook or Google using hot code push on iOS?

Their guidelines specifically say that, with prior authorization, the prohibitions do not apply.

unfortunately, just like any other private platform, they don't need to be consistent or follow the rules all the time.

I say, don't go native unless you must (for performance reasons etc). push the web forward instead!