Ah now I see - to get all the entitlements they create a super-app that happens to use those things.

Then they can spy on us for our main use case

Seems like Apple should give users the ability to download an app while rejecting an entitlement.

No, you can reject permissions, but not entitlements.

Entitlements are granted (statically, per developer certificate or maybe app ID, not sure) by Apple, permissions are (optionally) granted by users at runtime.

The only way to not have an app making use of an API gated by (only) an entitlement is to never install it.

Of course there could be permissions that are gated behind entitlements, but in this case it seems to be only an entitlement.

And even then, an app can block usage until you allow a permission; ie Snapchat doesn’t need the camera permission to allow you to chat but will block usage of the app until you enable it.

Snapchat has allowed you to chat without camera permission for years on Android. It's still required on iOS?

As I understand it, this SSID feature does not require location services permissions.

It's not a new idea but I would love to see Apple implement a way to serve eg. a fake, empty contact list for an app that refuses to enable a feature unless you allow contact list permissions.

I at least partially blame Apple for this too.

I personally use several different terminal/Unix emulator/SSH client apps on iOS that request the "background location" permission solely because there is no actual "background execution" API.

That's a design decision. Apple doesn't trust developers in general not to abuse this background API. They expect lots of aid requesting it, unknowledgeable users granting it without thinking much, and iPhones getting a crappy reputation for battery performance as a result.

I dislike this decision (taking a choice away from the user) but from a business point of view it makes sense.