You don’t even need MX trickery to make this an issue; how many people who moved over to Gmail setup forwarding rules from their old email address to Gmail? You’d never be able to tell from the outside that your messages are going to an unsafe location

This is not theoretical, if you've got say support@example.com that goes to your support queue, and employee@example.com that goes to your employee, and you want employee email on G Suite, your options are:

a) have your own MX that handles support mail and forwards employee mail to Google MX; G Suite provides a not exactly public domain you can forward to and you can whitelist your forwarder(s) IPs so Google uses the received headers for spam checking and SPF checks. If you don't setup the whitelist properly, a lot of mail will bounce or get flagged, yeah; but Google isn't dumb, they detect mail forwarding IPs with good behavior and will eventually semi-whitelist them without intervention.

b) The opposite way, where google is public MX and then delivers either specific addresses or unhandled wildcards to your MX to manage the support queue. (Or you might also forward it to a third party).

c) some people use third party email archival services (for example, ProofPoint) or virus scanning that shows as the public MX, and then forwards to some other MX for actual delivery

> a very odd and theoretical setup

Nope, I use https://mxguarddog.com/ for one of my domains. That acts as a spam filter, but also hides the ultimate MX host.