Sure, but the practical form of this attack is limited.

You can't maliciously embed it in a site you control to either steal map usage or run up their bill because other people's web browsers will send the correct host header.

That means you can use a botnet or similar to request it using a a script. But if you are botnetting Google will detect you very quickly.

Is there a way to use Google maps apis on the web without exposing the key?

Re host header seems an odd way for Google to do it, surely they would have fixed that by now? I guess not a huge problem as attackers would have to proxy traffic or something to obscure the host headers sent by real clients? Any links on how people exploit this?