As I said, when writing sensitive software, you start by building safeguards in place. For example, make every possible action visible to Niantic go through an independent process that will make sure they are within safeguard limits, and will deny further requests. And always fail fast - when the code notices something is wrong (e.g. unable to understand data), it signals the safeguards to stop immediately.
That way, when something breaks, the system shuts down. IITC becomes unavailable to users until fixed, but nothing more.
Yes, there will always be bugs, but you can prepare for them even if you don't know what they will be. Of course, there could
also be a bug in the safeguard system as well, anything is possible, but that is a lot, lot less likely if the safeguard is kept as simple as possible.