lberrymage
commented
1 month ago I don't remember the details, but QUERY_ALL_PACKAGES does grant additional access beyond what's available through a wildcard intent filter. Some platform APIs require it. Additionally, while wildcard intent filters can be used for much of the functionality of QUERY_ALL_PACKAGES, these too can be audited through the manifest if we ever decide to, and we want to maintain enforcing security guarantees at least as strict as Google Play, which checks QUERY_ALL_PACKAGES.
Apps can very easily get the full app list of users without this permission. I may be missing the reason why its considered sensitive if it can be bypassed in a trivial manner.