If functionality exists in the client app, there’s nothing to be done to stop someone from bypassing checks.
Looking into it further this looks like it’s an API between the backend of a service and Google though. That would be difficult to defeat, but you could probably spoof the identity of the requesting device with enough effort
I am WAY too unqualified to understand any of the technical stuff, so I’ll be waiting to hear thoughts from experts on this one. It looks like if there are no major flaws in it this is a great thing for the platform overall.