Systems (or vendor) apps also have to predefine permissions in their manifest, so not every system app can do everything. But the list of permissions accessible by those apps is so broad they can effectively have root, as long as you define enough of them as developer