I have not done extensive testing, but there is evidence that that android.permission.ACCESS_MOCK_LOCATION in application Manifest does not work as one would assume (i.e. if exists - allows mock location providers, otherwise not). So fake GPS applications like https://play.google.com/store/apps/details?id=com.lexa.fakegps work with any application, whether it has ACCESS_MOCK_LOCATION set or not. It seems to be enough if user allows fake locations in device settings.
Maybe ACCESS_MOCK_LOCATION really means that the application can be itself mock location provider? If so, then it should be read more like WRITE_MOCK_LOCATION, not access (read) as the name would suggest. Sounds more like bug than a feature. If this is true, then there is no way to really ensure that GPS location is real, not fake one?
Since no one actually answered your question, I will provide an answer:
Maybe ACCESS_MOCK_LOCATION really means that the application can be itself mock location provider?
Yes. The permission allows the app to "access" the "mock location" developer feature. This allows a developer to create mock locations that appear to be real in order to develop/test apps that have location-based features without actually having to physically move or alter (e.g. hard wire a fake GPS) the device.
Because Google does not know what app you will want to test or how you will want to provide fake data, it did this. As a developer feature, it reduces the exposure of this feature to the general population.