From everything I've seen, it doesn't seem possible to collect Texts, Phone Calls, Logs, etc. in an Android app without explicitly declaring the corresponding permission(s) in the manifest. Is this always the case?
What if an app uses an Android plugin like Apache Cordova for example? Must the plugin explicitly state the permissions in the config.xml?
Along the same lines, does an app have to display all permissions it can request/has requested in the app settings permissions?
I'm curious if malicious Android apps are capable of hiding permissions they are using.
No, apps cannot hide the permissions they are able to access.
Frameworks like Apache Cordova, PhoneGap, React Native, Flutter, etc. (and all the others) all operate within the Android framework, and are subject to the same security constraints: they must declare the permissions in the manifest, and request dangerous permissions at runtime if they target Android 6.0 or higher.
If an app, using any framework, were able to bypass these requirements, that would be a security bug in the platform (unless the reason they are able to do it is a vulnerability in another app, such as if an app exposed the user's contacts to any app that requested them with no permission check).
The permissions displayed in the settings are based on the permissions declared in the manifest and those granted by the user at runtime, so they wouldn't be able to hide things there, either, although it's worth noting that some less-dangerous permissions aren't displayed on the initial screen and are instead behind the "all permissions" menu option.