Concept
SDK archives (AAR) contain native lib and JVM code packaged under 2 sub-packages impl and sdk:
sdkpackage contains all public classes and interfaces to be used by the final app.implpackage contains all internal class implementation and is not visible outside the SDK.
When building an SDK, obfuscation is only applied on the impl elements which are repackaged in a flat structure. sdk classes though are kept clear to be used by applications.
Recommendations
When building an application one should apply obfuscation (using a tool such as Proguard) with a provided configuration. The sdk sub-package can now be obfuscated and all classes will be put in a flat package as well.
impl package should not be re-obfuscated because it contains static obfuscation used by native libs.
The result of this two-step obfuscation is thousands of classes (SDK, client app, dependencies) that are stored in the same bag and make it very hard to retrieve sensitive code.
