I am tracking my installs with two methods like you can see here in my manifest:
<receiver
android:name="com.google.android.gms.tagmanager.InstallReferrerReceiver"
android:exported="true">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER" />
</intent-filter>
</receiver>
<receiver
android:name=".tracking.ReferralReceiver"
android:exported="true">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER" />
</intent-filter>
</receiver>
The second receiver generates a lint warning the first not. Does that mean that Google knows that for their InstallReferrerReceiver and know that it is safe to let it exported?
PS: I know I can use tools:ignore="ExportedReceiver".
The INSTALL_REFERRER intent is broadcasted when an app is installed from the Google Play Store.
android:exported="true" means that the receiver is allowed to receive broadcast intents from other applications. You do want this, or you will not be able to receive the event which is sent by another app (the system or the Play Store app, I'm not sure).
However, if you check the documentation for android:exported, its default value is true if it has at least one <intent-filter>, otherwise it is false.
So to sum up, you need android:exported="true" to catch the event. But omitting this property would be also OK, since the default value is true for your receivers (but it's safer to have it).
About the Lint warning: It recognizes the name, and that's why it knows that the first version is safe.