Thanks for the extra detail. It's good to see that Google is clearly doing more than just signature-style checks. I knew they could do that sort of thing in Play Services, but, based on past coverage/discussion I wasn't confident that they were.
That still leaves open the question of security issues that aren't well-known, of course. Thinking about it a bit more, I can see the attraction of not adding extra complexity to the Play Services verifier until they "had to". If they're doing server-side checks and analysis that include undisclosed/low-profile issues that could be a reasonable balance (even if there is some lag time involved for simulations and the like), but if they're not...
Sadly, we're unlikely to ever know the difference.
That still leaves open the question of security issues that aren't well-known, of course. Thinking about it a bit more, I can see the attraction of not adding extra complexity to the Play Services verifier until they "had to". If they're doing server-side checks and analysis that include undisclosed/low-profile issues that could be a reasonable balance (even if there is some lag time involved for simulations and the like), but if they're not...
Sadly, we're unlikely to ever know the difference.