So, my conception of microG was, that it is a bundle of Play Services with parts removed.
Now after looking at their code, its all FOSS? So this is a transparent FOSS project replacing the Play services for various things, either by connecting to Google or by using different services like UnifiedPush, UnifiedNLP or MapBox tile server alltogether.
This sounds awesome, as it is actively selecting the things it wants to do.
It fakes values and signatures to connect to Google, which is understandable. But does this make it "insecure"? It cannot have access to various proprietary secrets in the Play Services I suppose.
Also relying on it may be highly unstable. But if it is a trusted FOSS project, how would it be different running microG unsandboxed, from running the complete, proprietary and bloated Playservices as a user app, and only channeling the wanted calls (?), as how I understand it?
Btw why is there no "gmscompat" tag?