You're correct, but there's a good reason: they need to draw over other apps to do what they do. So it's not necessarily nefarious. But it is an excellent reason to build the functionality into the OS.

(The reason the permission is so dangerous is they can trick you into pressing the wrong button by relabeling dangerous text with innocuous text.)

Absolutely, which is why I really appreciate the network permission on GrapheneOS. It makes me more comfortable to allow other permissions knowing no data can be exfiltrated.