I'm experimenting with giving Play services a try instead of Aurora Store (just to see what it would look like to drop AS in favour of Play store/services, as I'm trying to understand the pros and cons being discussed in this thread: https://discuss.grapheneos.org/d/23016-controversy-around-usage-of-aurora-store/29 ).
I spun up a private space, installed play services and using it installed the banking/trading apps that I had been previously installing/updating via Aurora Store. The moment some of them detected the active play-service (or the fact they are installed by it), they have been asking for permissions they didn't before and won't start/crash if I don't give those permissions. Strangely, they don't ask for themselves. They ask it for the play-service to have those ("This app won't run unless you grant play-service these permissions: <...>").
One of these is the "Phone" permission. So I granted that to play-service which was never needed by the app when using Aurora Store. I want to understand what does this entail.
Can the play-service (and the apps that need play-service to have this permission) now:
- see call logs?
- see incoming calls?
- initiate calls in the background (without asking me or me taking any explicit action to allow it)?
- hear conversations for ongoing calls?
- See all the phone numbers on my sim/esim?
- See the IMEI of the device/sim-slot?
- Does it matter it's in the private space which doesn't seem to have a dedicated phone/sms app or would it just use the parent profiles ability to make these calls?
- Does it matter if the parent profile's phone app is denied the ability to initiate calls and send sms? I think I can still receive calls in any profile even if that profile is not allowed to make calls or send sms. Thus the question.
I just want to understand this in depth and if there's a way to mitigate this in a legit way (like say if private space couldn't see incoming calls by design then that would just trivially solve this).