This is classic privilege elevation via a 3rd party privileged process. I thought Android's permission system carrying the security context from app to app through Intent. Guess the assumption is wrong.
In most OS, the security token/context of the initiating process is carried over to the target process when it's asked to do something on behalf of the initiating process via IPC so that the target process runs at the privilege level of the initiating process even if the target process has a higher privilege to start with.
In most OS, the security token/context of the initiating process is carried over to the target process when it's asked to do something on behalf of the initiating process via IPC so that the target process runs at the privilege level of the initiating process even if the target process has a higher privilege to start with.