I'd like to add a fourth choice: ask every time. When the app wants to access your GPS coordinates, you can grant it temporarily. Much like Android's integrity tools (maybe it's just a Cyanogenmod feature) where you can choose to be asked every time an app wants to access some kind of data.
The mix of the grandparent's and your options might give a very streamlined UX: the app is always given the full permission which is but only simulated by default, and any actual access the user is noted of that with a non-modal message box, where one can turn the simulation on or off. Some permissions (e.g. storage access) may not be hard to generalize like this, but it may work for other permissions like GPS and so on.
> Some permissions (e.g. storage access) may not be hard to generalize like this
In fact doing it this way would be very bad.
In sandbox model it’s usually the container that owns the file selection ui, perhaps accepting some plugins etc. from the client. The client is never granted permissions to see outside the sandbox. Pretend mode in this context would result in requesting unnecessarily broad access.
IMO for things like location the only way to do it both in user-friendly and privacy-friendly way requires a capabilities system. When an app is given privacy-sensitive data it shouldn’t be simultaneously granted any permissions that allow this data to be leaked.
