Every app has access to the internet. This is by design of Google. So you think you're granting the *app*, and only the app, permission to some private data, but actually, you're granting the *company* behind the app permissions to read your private data, and their governments and the government of any jurisdiction they trade in, and their partner companies, and the governments that the partner companies trade in.......
1. A firewall on the apps, and
2. the ability to deny the apps access to data without telling them. e.g. reject access to the camera, should still tell the app it *has* the camera access, but prompt the user each time the app tries to access the camera, while giving the app access to a blank camera feed till the person grants permission.
Also quit the selling of user private data, make it illegal, and you'll kill off the market for it. Apps should not be able to spy on their users, then sell their secrets for profit. Yet that is what is being sold in the market for private data.