Note that Uber was given that entitlement by Apple. It was explicitly granted an exception to use a private entitlement (which is in of itself unusual) and then submit such an app to the App Store.

Apple's XML parsers apparently are not catching this due to the comment trick.

So the security relies on a human catching it. There are many ways to hide text from a human, IE padding it out with whitespace, character encoding tricks, etc.