That part of Android is open source, so you could in theory audit it and build it yourself. I would be surprised if any big deliberate backdoors hid there. There are large downstream projects that use this source and builds on it which potentially would notice.
The Play Services however pretty much amounts to a remote root shell open at all times. Google can remove or modify code at will, and they have been known to do it in practice for spyware removal. I can understand how an activist finds that problematic.
EDIT: of course the fewer attack vectors the better