Sure, but the practical form of this attack is limited.
You can't maliciously embed it in a site you control to either steal map usage or run up their bill because other people's web browsers will send the correct host header.
That means you can use a botnet or similar to request it using a a script. But if you are botnetting Google will detect you very quickly.
> But if you are botnetting Google will detect you very quickly.
They don't do anything against that.