>Without more information about how the system works, a casual "eh if I don't grant location data access to shady apps I'm probably safe" seems very risky.

I don't think anyone who actually is at risk, or cares about risk, is going to be overconfident about their security because some HN commenter said "you're probably fine".

>What apps are "shady"?

Depends on your paranoia level. I'd say first party apps (eg. apple/google maps/weather) are probably fine. Google has the additional caveat that they record location history and therefore might be subject to geofence warrants. If you think iOS/Android is backdoored then all phones are off limits.

>How does the real-time bidding system obtain and divulge location data?

They're whatever ad SDKs can get their hands on. If the app has location permissions, it's that. Otherwise it's something like geoip. At the end of the day it's just third party code running in some app's sandbox. If the app can't get it, the SDK can't get it either.

>I think that it is not a safe assumption that the only way corporations are obtaining people's location is via OS location APIs.

What other plausible mechanism are there then? wifi/bluetooth scanning requires location permissions since forever ago.