But does the policy solve this problem? The first link is a file explorer app. In theory that app should be granted the permision by Google. They could get established and then start collecting data later. So how does the policy help?
In practice the only way it helps is by Google basically telling everyone other than big trusted orgs no, and that's not an open ecosystem.
Why not just give the user a big fat warning, even telling them that apps which request this permission have been known to steal data in the past, then let them decide for themselves?
It reduces the attack surface area, and in theory allows more thorough vetting of apps that are eligible to use the permission without spending additional resources. I say in theory because I have the impression Google wants this to be almost entirely automated and isn't actually doing a good job vetting apps that use risky permissions.
> that's not an open ecosystem
No, it is not. Did someone claim it was?
The open ecosystem of Android is that users can choose to install apps from any source they like. Apps like Syncthing-Fork and (full-featured) Nextcloud are available from other sources including F-Droid. Google does a couple things to privilege its own store, though I think those are being mitigated due to legislation and litigation.
But does the policy solve this problem? The first link is a file explorer app. In theory that app should be granted the permision by Google. They could get established and then start collecting data later. So how does the policy help?
In practice the only way it helps is by Google basically telling everyone other than big trusted orgs no, and that's not an open ecosystem.
Why not just give the user a big fat warning, even telling them that apps which request this permission have been known to steal data in the past, then let them decide for themselves?