Ultimately, no matter what you do on the client side, the server only knows what the client tells it. You don't need advanced emulation of JavaScript features to spoof an agent, you just need to mimic the requests a normal agent would make.
In theory, perhaps. But in practice, that's too simple: What, for example about certificate pinning? If you have a safe certificate on the client, spoofing becomes (prohibitively) hard.
Try, for example, to disassemble Facebook's APK or disable pinning via FRIDA (https://github.com/frida/frida). It's not exactly easy, and with frequent releases, it's a moving target.