I read the article at https://source.android.com/devices/tech/config/perms-whitelist about ro.control_privapp_permissions and I understand how it works but I am left wondering why this feature exists?
The docs say:
... device implementers had little control over which signature|privileged permissions could be granted to privileged apps ...
It seems to me that they have plenty control. For apps they build themselves they can simply add or delete permissions from the manifest of their apps. For apps which come from Google such as GMS it would seem futile for a device makers to decide they don't want to grant certain permissions to Google, I'm sure Google wouldn't accept that. So what's the point? I guess this lets device makers include shoddy prebuilt apps into their system image and just give them a few permissions and hope they run properly?
Consider the following example:
An OEM (Samsung / LG / Motorola etc) is building a new device for the public safety sector (police man / fire fighters / security forces etc).
Some public safety customers have their own MDM (Mobile Device Management) solution that is based on a pre-load application. That pre-loaded application is provided by a third party as a pre-built APK and embedded into the device's system/priv-app directory.
The OEM has no control over the quality of that third party MDM application.
If the app is badly implemented, it might introduce security vulnerabilities and compromise the entire platform. Providing the third party app with the minimum needed permissions to do its work will allow to confine it and prevent privilege escalation.