"W3C specifications do not specify any policy do not discuss any risks associated with this"
Perhaps because they feel that mfg should
a) Be aware of the risks, because why should customers buy from them.
b) Be free to implement whatever view of privacy they think fit.
Of course that maybe because IRL phone mfg sell to networks, not end users so feel the network is their customer.
Except for that new UK one El Reg reviewed a little while ago that seems to have quite a good one for stopping apps asking for stupid amounts of data for the (very) dubious privilege of running their (usually) shoddily written code.