How so? Assuming they’re modifying the APK they can just remove whatever check is in place. I’m guessing something like microG could emulate this API and always return true as well (though this veers more into DRM bypass which may cause legal trouble for microG).
For apps that communicate with a server, there will be so called hardware attestation, like the API doesn't just return "true" but a signature which the server can validate. Keys for this are in the TEE/whatever secure element the phone has (and there's a $500K bounty for extracting secrets from the TEE).
For apps that don't, Google is currently developing a new obfuscation VM called pairip (that libpairipcore.so). This extracts some java code into a VM, so patching an app is not simply a matter of patching smali code - that VM employs many checksums on its memory.
Privacy conscious folks will just... not use those apps. With any luck app devs will notice that apps with this flag get installed less and stop setting it.
