You've covered a lot of the visible stuff but I would also go deeper into their API endpoints and make sure users can only access their own stuff, endpoints can't be repurposed to do destructive things, passwords are irreversibly hashed, sessions work, exceptions and logging don't leak secrets, and rate limiting on authentication and payment endpoints.