Answering my own question, they need a way for users to grant location permission only to the primary app and not any of its dependencies, as once you grant it, it's available to all code in the app. It would be great if there was some way to separate those.
They could also better enable network traffic inspection on device, so we could tell where data is going. LittleSnitch on iOS would be great.
IP is often enough to correlate things. LittleSnich or whatever is no help - oftentimes data is collected by the app/site directly, and then funneled to various systems via kafka-like brokers. In this case you always have only cobbections to something like cool-application-domain.au