I think the problem is that older SDK versions allowed you to do things like scan local WiFi names to get location data, without requiring the location permission.
replySo bad actors would just target lower SDK versions and ignore the privacy improvements
The newer Android version could simply give empty data (for example, location is 0,0 latitude longitude, there are no visible WiFi networks), when the permission is missing and an app on the old SDK version requests it.
replyOf course, they don't like this because then apps can't easily refuse to work if not allowed to spy.
That can have some very extreme legal ramifications.
replyConsider - it's a voip dialing client which has a requirement to provide location for E911 support.
If the OS vendor starts providing invalid data, it's the OS vendor which ends up being liable for the person's death.
e.g. https://www.cnet.com/home/internet/texas-sues-vonage-over-91...
which is from 2005, but gives you an idea of the liability involved.