BG-FGS restrictions bypass via set app-owned IIntentSender to contentIntent.mTarget and call `PendingIntent.send` with callbacked whitelistToken

In sendIntentSender of ActivityManagerService.java, there is a possible background activity launch due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.