What stops a malicious actor from calling those APIs and feeding them garbage?
Isn't that true for any service or API that collects data? If a bad actor wants to spam it with useless info, they can always find a way to do it.
You can filter out a lot of bad data with UA bot detection and maybe rate limits per IP, but if someone really wants to spam your service, they can always do it.
GA already has a lot keyword/referrer spam, where you saw as referrers some dodgy websites.