alt Hacker NewsApparently just like OP, you didn't read the article either. Just because the app doesn't ask for permission in the manifest doesn't mean it can't be acquired at runtime. It's very publicly documented [0].
So, no. Not a "hallucination".
[0] https://documentation.onesignal.com/docs/en/location-opt-in-...
How certain are you of that?
That appears to be about providing a message to the user before requesting permissions.
However, it appears even permissions you allow your app to request still need to be declared beforehand? https://developer.android.com/training/permissions/requestin...
Regardless, people are reporting mixed info on whether the app declares location access: https://news.ycombinator.com/item?id=47557010