I think you answered your question. They can just call an API to see if an address is banned. It's easy peasy when it's centralized.