@kitkat_blue Years ago I was working for a retailer in the UK who had only recently built their first mobile app on iOS. Like most apps of that era, it was little more than a webview and it didn't need much permisisons.

Like most developers, they had incorporated some analytics package that was reporting on users' interaction with the app. I'm fairly sure it was a binary library that they linked into their app. I don't think they got source code. I might be wrong.

I could see the telemetry going up in the analytics API calls. Which buttons, which pages, etc.

Then one day they launched an app feature "find a store near me." Now the app needed location permissions. If the user granted location permissions, the analytics library got access to location. Anything the app can do, the analytics library can do. And, sure enough, those analytics telemetry messages started to carry GPS coordinates from the user to this third party. My customer didn't make any change to their code. They didn't turn that on. They just asked for, and got, location permission from the end user for a legit purpose in the app.

I pointed it out, because this was a change in behavior that was not contemplated by their privacy policy. Heck, it's a change in behavior they didn't even know had happened! It wasn't in their code! So they quietly pushed out a small update to the policy that made it OK.

That was probably like 15-16 years ago.