I believe the location tracking is necessary for apps that are trying to detect the default/config access point that many devices spawn for setup. As I understand it, because wifi AP name awareness is approximately equal to location knowledge, wifi control requires a location information grant. It doesn't forgive the crummy design that implies (what about providing an allowlist of AP masks that can be scanned for?), but there is another side to the coin of "please give us location access so we can spy on you" in that uses that AREN'T for spying still require the same prompt for permission.
I wouldn't say /never/ attribute to malice anywhere we're in the vicinity of an an enormous data actor with a not-great track record, but probably at least /even/ are the number of cases of privacy violation attributable to maliciousness vs. terrible design that is either excessively encumbered or insufficiently granular.
I'm perfectly happy for Acme Random App to scan for `pps-setup-wifi-**` at one time, but not all wifi networks forever.
It's likely for Bluetooth access rather than WiFi. It's not uncommon for IoT devices to use bluetooth for setup, and it would be trivially cheap to put BLE beacons on every subway station exit in NYC, essentially giving you fine-enough location detection to uniquely identify most people within a week.
I wouldn't say /never/ attribute to malice anywhere we're in the vicinity of an an enormous data actor with a not-great track record, but probably at least /even/ are the number of cases of privacy violation attributable to maliciousness vs. terrible design that is either excessively encumbered or insufficiently granular.
I'm perfectly happy for Acme Random App to scan for `pps-setup-wifi-**` at one time, but not all wifi networks forever.