Agreed, I've been through something like this before and it was not legit. They'd compromised a Bangladeshi police email account and used it to try to get data out of us.
That's right, there's no guarantee the data hasn't been tampered with after encryption. The mechanics of the tampering you could do depend on the cipher mode you use.
To give a simplified example (which doesn't match what this program does but is useful to demonstrate), ECB is the simplest mode (which really shouldn't be used for anything). Your input is split into fixed-length blocks (16 bytes for AES) and each block is encrypted separately, producing a deterministic ciphertext for each block. (e.g. a block of all "A" will always encrypt to the same thing).
So if an attacker is able to figure out what plaintext a block of encrypted data corresponds to, they could use that knowledge to build a "fake" encrypted message. They could also remove blocks from a message, or shuffle them around.
If you're interested in playing around more practically with this kind of thing, I highly recommend the https://cryptopals.com/ challenge sets.
Steam on Linux already uses LD_PRELOAD under-the-hood to load the overlay. Valve signs the overlay SO files, so they could be making an exception for Valve-signed-preloads in VAC, but it's also possible that VAC does something else to check for suspicious libraries loaded in.
This could work for domestic requests, but the one example of this I've seen in the wild (and this was mentioned in the original post) involved a request (supposedly) coming from police internationally. Though, requests from foreign police are more likely to be handled with scrutiny, so maybe forcing more manual verification (and identification of the proper process in the first place) aren't bad things.
That's a matter of repository policy, but yes, Flathub (by far the largest and most popular repository) allows for this. I believe that they generally put a disclaimer that it's not an official package in the description, and allow the upstream developer to claim the application ID for themselves if they wish to maintain it.
