/data/app/org.fdroid.fdroid.privileged.apk will get system privs if signed by same key

I'm sitting here with Kees of Fairphone talking about Priviledged app integration. He pointed out a difficult vulnerability that concerned him in regards building in the priv-app by default. If there is an APK installed that has the same packageName as the priv-app, and its signed by the same key as the priv-app, Android will automatically grant that APK root privileges since it will treat that new APK as an update to the APK included as a system app. So including the priv-app by default would mean granting whoever controls the F-Droid signing key full root access to all devices that include the priv-app by default.

Ideally we could find a way where any updates with the same packageName would be totally ignored.

@dschuermann @pserwylo @mvdan @CiaranG any thoughts on this?