Is there any usable mechanism to ensure I can trust my developers so that they can't do anything
stealthily harmful to my product / business in the code?
No. There are hundreds of things that all help a little, but they will cost you.
such as changing my PayPal email to his or redirecting my customers to his website?
Developers shouldn't have access to the website in production. They develop and test, then hand that over to the administrative team. You do have an administrative team with full security clearance and background check in place? However, that is where the "cost" factor comes in.
Developers need a copy of the database? Well, cleanse it from all information insecure - can happen automatic once there is a program for that written (costs). Stuff like randomizing names and credit card numbers, etc. Or have the developers well under contract -legally, NDA, background check. That happened in my last consulting job, we got fully checked to see the real time operations database. Randomizing and cleaning will greatly cost you, though.
Paylap - sure. Why should they not work against a second paypal account with corporate credit cards to test?
At the end it is a cost issue. Suing people and checking their background are the best options, plus, as I said, separating development from operations. However, this costs quite a lot. Every code should be reviewed by 2 independant - possibly external - parties. I was in one project where this happened - full code review on every release by an external auditor.