A custom permission is declared with a normal/dangerous protection level, so any installed app can be granted it, weak protection for whatever it guards.
A custom permission with protectionLevel normal or dangerous can be requested by any third-party app. Anything you guarded with it (providers, services) is effectively open to apps the user happens to install.
Internal interfaces believed to be private are callable by other apps, leaking data or triggering privileged actions.