This is only a problem when implemented by entities who have no interest in actually solving the problem. In the case of apps, it has been obvious for years that you shouldn't outright tell the app whether a permission was granted (because even aside from outright malice, developers will take the lazy option to error out instead of making their app handle permission denials robustly), every capability needs to have at least one "sandbox" implementation: lie about GPS location, throw away the data they stored after 10 minutes, give them a valid but empty (or fictitious) contacts list, etc.