Privacy manifests needs to be in an app as well as all its required dependencies. Question is, does the app need to duplicate the information from third-party frameworks or just have its own? Is having an app compiled with up-to-date versions of libraries is good enough?
The app must only declare information about itself in the privacy manifest and not duplicate the privacy manifest of third-party frameworks. If a third-party framework contains a privacy manifest, Xcode and Apple will be responsible for merging all privacy manifests within the package.
You can check this behavior creating an archive of your app and selecting Generate Privacy Report. The resulted report should contain information about all frameworks inside your app.
Step by step from Apple:
For more information: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests#4239187