I think computing devices need to have some kind of zero trust sandbox available for installation (kinda like a VM) where any API and system calls that an app use is spoofed. iOS have done this for files and photos (recently), but some is still all or nothing, like contacts. At least camera and microphone access show an indicator when they're in use.