Things done wrong through these API's are crimes done on other people's property, and in other countries. Enabling these things is collusion. Things won't really change until criminal sentences start being handed out. Handed out by bucket loads for all historical crimes. That compensation be seized at that time across employees according to their culpability... This including des collusion by investors and shareholders...
We could say, that 10-90% of your time spent on the internet productively is wasted by illegitimate schemes of damage such as these. That is amount peelr year of damage costs, no company can afford.
Companies should only make money in legitimate ways. All this stuff needs to be closed down. If they can't make enough money in non targeted advertising (not harassing people, but having advertising either in general, or related to the content being viewed) they should charge for services, or give up.
All advertising should be optional. They should not force people to watch advertising, that is Slavery, or Steal their privacy, that is Theft and Stalking. These are crimes. What a person does on their machine is their right and ownership, beyond others control, except Legally. Prosecution rather then subversion and illegal or unwarranted control, is the desired way of addressing people doing wrongs on their machines.
Contracts forcing people to share information unwarrantedly, are unfair contracts under contract law, and challengeable to be changed. Unreasonable contracts forcing people are Slavery, and coercion. Those forcing such contracts, and writing them, should be prosecuted under the Criminal law, as well as the civil.
Api's that enable explicitly bad behaviour require their use by others to address such behavior. But would we need such API's if they were not available! Api system should be by privilege only to the sole benefit of the user owner. The user who uses has ownership of their privacy, the user that's owns, has ownership of the system, but the system intellectual property owner has rights to his/her intellectual property's secrecy, but no right to trade secret as revealed. Designing a system like this protects people from harm.
To protect people, they further need to put in options for things like add blocking, and to nominate optional services to carry this out, by blocking rather then substituting, on a permission by permission grant basis. That user privacy is not shared, that information fed back about page exploits is truly anonyminised with untraceability in a fashion better than Tor. That the company providing security options, or any app, has no idea what the user is doing, except that the user pays money, and even that should be anonymisable. That no manufacturer's account is required to download and use apps on a device, only payment, which maybe tied to a device and transferred.
You can 100% not rely on an app store to handle security. App behaviour after installation can be used to circumnavigate security. You can see funny business in relying on app sutures to protect privacy.
That all apps are required to operate with whatever permissions the users decides to give them, without harassing users for permission, or be removed from stores. If denial of a permission makes an app unusable, it is up to the owner. That maximum permission auto granted for an App, is the minimum for that app type. That the users preferences for apps, app types and apps, further automatically restricts this. That the user has manual overrides for general, app types and individual apps, where they may with user verification, increase or further decrease app permissions live (I have been trying to get them to do these things for years, since the first time I suggested user definable permissions which latter became the user definable permissions we have had). Permissions are to be fine grained, including firewall like permissions. Permissions are not to be used to hide further permissions underneath them, as is now done, where it appears you give little permission, but in reality covertly a lot, even undefined to the user. Such covert behaviour is to be regarded as illegal subversion in order to make a illegal gain to privacy or stalking.
Security should identify file and data patterns acceptable, and repair, wipe and or replace as necessary (I have been trying to get them to do that too). This will remove injected code, and hopefully injected data, and corruption.
All apps and components are to sandboxed in such a way, that they are the only things in their address spaces.