How Can the Settings App Start an App's Non-Exported Activity?

I would guess there is nothing in the manifest that gives an app the permission to call exported activities. I believe the way it's accomplishing this is by setting LOCAL_PRIVILEGED_MODULE := true in the Android.mk file for the Settings application. This flag will give an application system level permissions and place it in the system/priv-app/ directory during OS compile time.

If you look at frameworks/base/core/java/android/app/ActivityManager.java for the method checkComponentPermission you can see that if the UID is that of the SYSTEM, component permission is granted regardless of the exported setting.

While @Bobbake4's answer that the check is based on UID is correct,

If you look at frameworks/base/core/java/android/app/ActivityManager.java for the method checkComponentPermission you can see that if the UID is that of the SYSTEM, component permission is granted regardless of the exported setting.

I believe the first part about LOCAL_PRIVILEGED_MODULE is irrelevant. The directory location doesn't control which UID Settings get, but instead that is set by the sharedUserId in the manifest. As noted in the documentation, this only works if the app is signed using the same certificate as the platform.