My point is that this could very well be incompetent instead of malice.
Doesn't really change anything and I would not install an app that requests all these permissions and I am also very careful with apps distributed outside the official store.
With that said, Android by default disables dangerous permissions and almost everything has to be opted in these days.
The horseshoe principle applies on the malice/incompetence dimension. Any sufficiently advanced malice is indistinguishable from incompetence. (Disguising ill intent by as incompetent design is one of the strongest deniability approaches.) But also any sufficiently advanced incompetence is indistinguishable from malice. (A bad actor can fully compromise an incompetently designed system as well as if the vulnerabilities had been intentional.)
Doesn't really change anything and I would not install an app that requests all these permissions and I am also very careful with apps distributed outside the official store.
With that said, Android by default disables dangerous permissions and almost everything has to be opted in these days.