So what's the mechanism here? I did not find any sort of api like isPhoneRooted() But also, I did not look very hard.

I am probably missing something obvious(some sort of tpm key attestation) but it feels like it would be impossible task. I mean, theoretically higher layers can check that lower layers have the correct signed checksums, but they need to use the lower layer to do it and the lower layer could just lie to them. (if isSystemFile(f_name) then return originalFile(f_name); or provide a virtual tpm).