even on the old 4.1 Jelly Bean it was possible to install XPrivacy on a rooted Android
Let me get this straight: in order to install a protection mechanism you have to remove the installed protection mechanism, weak as it is?
Interesting is that Apple is far more successful in refusing apps that misbehave. Not perfect, but *far* better. Android is apparently aiming for the role of Windows in the mobile world.