alt Hacker NewsI think the problem is that older SDK versions allowed you to do things like scan local WiFi names to get location data, without requiring the location permission.
So bad actors would just target lower SDK versions and ignore the privacy improvements
The newer Android version could simply give empty data (for example, location is 0,0 latitude longitude, there are no visible WiFi networks), when the permission is missing and an app on the old SDK version requests it.
Of course, they don't like this because then apps can't easily refuse to work if not allowed to spy.