Hello,
As you saw, the notification API accepts TXIDs from anyone (but not confirmation counts). Then, the plugin queries the wallet about these transactions by their ID. The plugin will only insert a transaction to the DB if it concerns a user on the system and if it is valid according to the wallet. The API endpoint is very simple and secure. It does not need to trust the caller.
The same is true with blocks but blocks are not currently being used in anything. The hook is available for future use.
with regards