No, they could not. And if you don't want to trust $random_manufacturer's Android ROM, you could switch to GrapheneOS[0] whose developer Daniel Micay attaches a lot of importance to reliable app signatures (which is why GrapheneOS doesn't come with MicroG as the latter would need signature spoofing).

[0]: https://grapheneos.org/