Yes the most possible shit occurs at scenario 2.
But how many users are on scenario 2? I think it would be not many. Most people don't share their devices.
But I'm thinking about another crack possibility if this payload string left empty. It would be easy to crack it down.
The only thing makes me mad is this thing should be on Google API side. Google's job to verify and make sure who purchased the item. Why we need our own server?