Regardless, the permissions were there for years.

   read your text messages (SMS or MMS)
   read call log

Was nobody able to make the inference that facebook might be uploading this stuff to their servers? Remember this was during the whole "facebook is surreptitiously listening to our conversations" fiasco.

Everything you install on basically every desktop OS, by default, has access to practically everything.

I think most people would be surprised if they discovered that apps were uploading their emails. And photos. And tax documents. Just because they happened to be on the hard drive, and there were no permissions to prevent it.

Expecting FB to not do similar and respect basic privacy by default is reasonable. FB doing such things just because they can is not.

If I thought that a file manager would steal all my data, I'd never install it. On (most) desktops there's no easy choice: apps will have permissions, but you might be able to sue the author for illegal access if they took all your data.

On mobile, suddenly, it's: lol, you gave it away!

That makes little sense. Yes, we should have better sandboxes - but we still have very few (none) usable general operating systems with Internet access that are "secure beyond trust".

Absurdly, I'd be more confident in a typical Debian install with thousands of programs from "main", some running in the kernel - than a typical Android device.

Because of presumed incentives for the volunteers/employees working on debian and the various upstream projects.

This is 99% about trust and incentives and 1% about capabilities.

As someone who has rallied against FB for years, there's always some justification:

"It'd be too risky to their business for them to do something like that!"

"Someone would have leaked the secret by now!"

"There's no way a company that big could get by doing something that blatant!"

I think people just don't like uncomfortable truths, even when staring them in the face.

> READ

It says read, not steal and keep in their own servers.