That sounds like something that's also not that risky. Short lived, temporary access point with randomized BSSID/mac address should not be useful for long term tracking if done well.
It is not, if the developer only does what is expected. I believe when you have to perform this, the Android authorization asked to the user is complete control over the network adapter settings.
