Not an Android expert, but this is how it seems to me.

It's Google's responsibility to implement the hooks in a secure way, so that an app that is registered e.g. for the "call" hook cannot prevent the call from taking place.

Seems that somewhere in there, someone messed up.