What would you like them to do? They already force apps to ask for permission, give user control over when the app can even access the location (including just once), tell the user when the app has been accessing the location repeatedly over time, and allow the user the shut off location services for each app individually whenever they want. So aside from shutting off more and more possible sideband sources of location information, what else are they supposed to do?
Unless you're saying Apple is selling the location information they may have directly?
Answering my own question, they need a way for users to grant location permission only to the primary app and not any of its dependencies, as once you grant it, it's available to all code in the app. It would be great if there was some way to separate those.
They could also better enable network traffic inspection on device, so we could tell where data is going. LittleSnitch on iOS would be great.
IP is often enough to correlate things. LittleSnich or whatever is no help - oftentimes data is collected by the app/site directly, and then funneled to various systems via kafka-like brokers. In this case you always have only cobbections to something like cool-application-domain.au