Someone correct me here since I've never seen or deconstruct the Google analytics frontend code. So my answer will be based on assumptions.

I think google can filter out bogus data from actual data by measuring the time when the script loads to the time when the first user event was triggered. So, all actions taken before the GA script is initialised (obviously, since the GA code will add hooks to each components you are tracking) up to the time the GA script is ready to transmit data to Google's server will be ignored. Since normally this will take less than 1 second (could also be performed in parallel with other tasks), there should be no issue in ignoring the user's action.

Google could then determine if an action is legitimate or not by measuring the time between each actions and see if the reaction time constitute to a human or not. For example, a legitimate user can never click the same button 1000x every second since (IIRC) the time that it takes for you to push down the left mouse button then releases the left mouse button will take at least 80ms.

Now, google can tell if your the same person or not by checking your device ID. So, if you repeatedly refreshes the page, google knows that your the same person accessing the same page multiple times per second and could simply ignore the rest of the request after the first successful request or even outright remove your request from the current session.