They never agreed to the ToS, so they can't have violated them.

It does seem to violate the Google Play ToS in terms of applications not using unauthorized 3rd party resources.

Google will most likely just fingerprint these calls and block them serverside, I'm guessing.

If you use a service by someone else then you implicitly agree to the terms. I agree that browsewrap style ToS are bullshit where merely landing on a website supposedly binds you to whatever terms they wrote, but if you actually go out of your way to integrate someone's API into your code you are definitely agreeing to the terms!

How so? A contract requires a "meeting of the minds". If one of the minds doesn't agree to (or even see) the contract, then how could it be enforceable?

This might not be so clear. If you think about google crawling your site without you knowing it - technically its same unprotected request/response as calling API. If i had TOS that prohibits crawling of the site (instead of robots.txt) does it mean that google is breaking my TOS? Seems like the solution is clearly for me to protect my site/api - not other way around.

Now if I add to all my backend response headers ”x-terms: you must agree usage terms: https://xn--blah-jb7a would it make it explicit enough, also for the ignorant engineer with “But this API just works” attitude ? It should be a industry standard really.