or third party owned eavesdroppers. Some contexts are leaving little option (all products demanding privacy loss): this is where the big battle will lie.
I used to use Viber for calls outside the EU, and briefly after the GDPR was implemented, I checked their data partners, I kid you not, more than 1000 data harvesting companies were listed there. Keep in mind, Viber has acess to so many permissions on Android, it's freaky even if they didn't have this many partners (I had XPrivacy back then). Can't imagine how compromised the regular users are.
I uninstalled that malware a long time ago despite everyone around me using it. Years ago when I still had it, I found that they've been transmitting all my data - including messages apparently - to Facebook. I found this in the FB privacy console, as Viber would have never told me explicitly.
To your second concern... can't you now disable all those permissions individually? Not allowing you to then proceed with using the app would break their Google Play developers agreement, I assume. I hope.
There are plenty of other "hidden" permissions that are not exposed to user control. This include, but not limited to, the closest tower nearby you, the SSIDs around you, access to the list of apps installed, etc ... While the Android permission settings gives the illusion of "privacy", the reality is far more bleak. If you ever dip your toes in Android App Development you would know. But even now, relying on XPrivacyLua to handle the permission blocking. Don't even get me started on Apple and their illusion of privacy. At least with Android you can tailor an AOSP Rom to your liking with minimal Google apps, but with Apple, they don't even allow you to disable location from the Quick Settings menu.
But overall, nowadays it's at least possible to limit the impact – compared to Lollipop era for example, when everything suddenly started to look modern, unified and nice, but still full of the same old holes.
(see Privacy Nightmare on Wheels’: Every Car Brand Reviewed by Mozilla, https://news.ycombinator.com/item?id=37443644 )
or third party owned eavesdroppers. Some contexts are leaving little option (all products demanding privacy loss): this is where the big battle will lie.