In infrastructure mode, all WiFi traffic goes through the access point. Whether or not, from a configuration perspective, the access point lets you meddle with traffic that passes through it is a separate question, but I don't think there's anything wireless-protocol-wise that precludes it.
Just to add—in open networks masquerading as the AP is possible so long as you can reach the hosts with your Tx. This is mitigated with encryption, however, as I understand the WPA2 standard, I suppose you could send out a broadcast ARP response packet encrypted using the Group Transient Key pretending to be the AP. However, probably all sane clients would discard ARP responses that were broadcast, as normally, ARP responses should always be unicast to the requesting client.
How does a client actually authenticate a packet coming from the AP versus something else? The only info is a preshared key so it doesn't seem possible to have any true security there.
The PSK is used to derive pairwise keys between each station and the AP. However, if the attacker knows the PSK, it's theoretically impossible sufficiently advanced attacks. That's why enterprise networks use RADIUS for enhanced security.
I believe the AP has separate session keys per client (the shared secret is used for authenticating with the AP and setting up a session -- and yes, I guess that means if you know the shared secret the client expects you to use (eg: a note in a cafe) you can probably impersonate the AP at the point of client association) -- but the group key is special.
But as demonstrated up-thread I clearly need to refresh my knowledge of 802.11*...
