I suspected something along these lines was possible when I looked at this provider a couple months ago.

If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)

Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.

Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)