One thing that is kind of unique about this vulnerability is that users can actually prevent attacks from happening by checking the permissions on an untrustworthy app because google has permissions controls built in for the features that are being abused here.
The heart of this vulnerability is more in that these settings aren't clear on their implications and there are bad defaults. Disclosing to users seems to be a responsible thing to do since users can prevent an attack on their own device (especially given google's response of "working as intended").
This is insightful, thanks. In this specific case, you're absolutely right that users themselves can take steps to mitigate the risk. If users come to understand the real meaning of granting permissions as a result of this disclosure, that's better for everyone.
Definitely a factor to take into account, particularly when deciding how the information will be publicized.
The heart of this vulnerability is more in that these settings aren't clear on their implications and there are bad defaults. Disclosing to users seems to be a responsible thing to do since users can prevent an attack on their own device (especially given google's response of "working as intended").