Comment by Aachen
But I, as the attacker, would just modify the value right?
It's not that the device transmits signals into space and the satellite operator, a trusted third party, would relay to the server where the user was computed to be. Instead, it's the user self-reporting the computed value from GPS satellites' signals
If you decompiled the app, then yes, you could spoof GPS. Still, a well behaved backend would stop you in your tracks.
The user is not self-reporting, the app is.
Again, just because something can't be 100% bulletproof it doesn't mean it needs to stay wide open.