As far as I understand, there is an option that is even simpler for application developers: all applications have the permissions to see and alter whatever they want on the phone, up to a storage quota for modifications. Most of their accesses are hellbanned, though… Hellbanning logic can be altered by applications (obviously, the user would have to allow the configuration application to access the real settings), so granularity can be added as a bolt-on.

But I guess giving users actual security and privacy is against both Google's and Apple's interest, so this can only exist on a custom ROM without Google Play Services (or with sandboxed Google Play Services, which is probably against EULA).