I believe you when you say you’re not collecting telemetry.
Personally I think the general public severely underestimates the impact data collection can, and likely will, have. I don’t really use Google Play myself so much, but I get the impression that it’s basically a disease reservior for your Android powered devices. By and large people are desensitized to it. It’s normal now for an image viewer to request network, bluetooth, contacts and location access so the embedded Facebook and Google data mining libraries can sell you out to the highest bidder.
I love RetroArch, everybody working on it has clearly put a lot of effort into pushing out a great application, but I’m not gonna start down that road myself. It’s not okay to just say “well this is open source so I trust it.” That’s when the waters start to muddy and your more nefarious actors come in to take advantage of that trust.
Take OpenSSL for example. Despite being widely used by virtually the entire internet and being open source a serious security flaw went unnoticed for years. Who’s to say someone couldn’t bury some code somewhere deep within RetroArch? Sure I could audit the code now and decide to grant the permission, but that permission would then be passed to every future version I upgrade to and I’m not going to audit every line of code every time a new version comes out. I’ll probably even forget that I ever granted location permission in the first place and just let it go unnoticed quietly being sold out, maybe not by you, but who knows who’s going to be managing RetroArch next year or the year after.
Anyway I’m sure it’s a moot point and you’ll get it worked out. There’s nothing within Android, Android-Studio or Gradle that forces an app to request, at startup, every permission it could possibly someday need. Well, not since Android 6.