Maybe because Google and it's products have little respect for user privacy?

That's incorrect. Querying installed apps has been severely restricted (and thus mostly useless) and also requires a special nuclear-scale permission since Android 11.

I am wondering what exploit HSBC is using because I really don't think they are using official APIs for this.