Many times these kinds of attacks are buffer overflows, tricking the hardware/OS to execute code it wasn't intending. Its not just that the media player starts to behave strangely, often the attack corrupts code outside the media player. See the Android Mediaserver vulnerabilities, or many of the buffer overflow vulnerabilities in ffmpeg.

If an attack corrupts how the OS checks permissions, it doesn't matter if you've got some API framework for calls, it broke out of it.