The blacklist is easy to circumvent by offering apps with randomly generated package IDs and probably also with randomly generated signing keys per user.
This is of course more effort than just building and signing the app once, but doable.
Of course you can't have any api keys or functionality in the app, that is bound to a specific app id or signing key.