> Does it have root?

Not really, but it is a privileged System app, which pretty much means it can do a factory load of things that installed apps cannot without root.

Systems (or vendor) apps also have to predefine permissions in their manifest, so not every system app can do everything. But the list of permissions accessible by those apps is so broad they can effectively have root, as long as you define enough of them as developer

yes. (It's not really the 'root' user, but it trusts blindly and can do things such as installing apps without user confirmation.). In my other blog post about gms, the JS bridges would be running in the privileged scope.

You agreed to this in Google's privacy policy when installing Android.

Luckily it can be installed sandboxed and not privileged. (E.g. with GrapheneOS).

this is called a back door, not to mention it can already install (and uninstall!) apps without your permission. and yes they have already gotten in trouble for it in the past, but not enough happened to them.