Something you may have not noticed about AppOps is that you can use it to give fake permissions to the apps so they think that they have a permission but when they try to actually use that permission they don’t get any data from the API.
I personally think that the added attack-surface is worth it for the functionality it provides.