I think there's a practical difference between what an app could do with root permissions and what is widely understood to be likely or acceptable. The "anything the app could do it is doing" model isn't really the right model to apply for vendor apps that are generally trusted by consumers (and observed by security researchers). We're not talking malware with root; we're talking the regular system health and monitoring apps that vendors install.
So it's real unlikely that MotoCare is intentionally trying to de-anonymize someone's COVID-19 data by code injection or continuous GPS logging. It is extremely likely and expected that the app is periodically grabbing the syslog as a crash report, and that means Google's claim of keeping your data private now has to implicitly assume that MotoCare, without doing anything special other than its regular behavior, is also keeping your data private. That's not a claim Google should be implicitly making on behalf of MotoCare (let alone on behalf of every app that could hypothetically be installed on your system and is understood to be well-behaved in the sense that it just reads the syslog).
It's really incumbent on a privacy-protecting application to not put private data in the syslog. If it's in the syslog, it's not private (even though it's more private than, say, a notification on the homescreen).
So it's real unlikely that MotoCare is intentionally trying to de-anonymize someone's COVID-19 data by code injection or continuous GPS logging. It is extremely likely and expected that the app is periodically grabbing the syslog as a crash report, and that means Google's claim of keeping your data private now has to implicitly assume that MotoCare, without doing anything special other than its regular behavior, is also keeping your data private. That's not a claim Google should be implicitly making on behalf of MotoCare (let alone on behalf of every app that could hypothetically be installed on your system and is understood to be well-behaved in the sense that it just reads the syslog).
It's really incumbent on a privacy-protecting application to not put private data in the syslog. If it's in the syslog, it's not private (even though it's more private than, say, a notification on the homescreen).