That's not really accurate. Google uses Linux as a base, makes changes and release it as Android. Because of the terms of the Linux license, they have to make public all their source code for the extras stuff. Others can then take the Android source, strip/comment/ifdef out the special Google spy stuff and recompile. It really doesn't matter at that point if Google was involved in development.
Yep. You’re right. Of course, this makes it very easy to see if there are any Google-implemented shenanigans in the code and to strip them out.