Probably the fact that Google Play Services can update itself without your approval or consent, so Google can push any antiprivacy feature to your phone they want without your knowledge at any time.
Play Services meets basically every definition of malware.
Not really. Strictly speaking Google Play Services is a rootkit. One that can be used remotely. And it contains heaps of invasive user tracking code. Is is pretty much malware.
To be fair though, it is important that we continue to pressure Microsoft about their telemetry practices as well. Microsoft's business doesn't depend on data collection, and they could very easily return to not mandatorily collecting it, but our voices on the issue have not been loud enough yet. (And actually, as I recently discovered, Microsoft won't allow you to submit feedback about their apps unless telemetry is enabled at the Enhanced or Full levels on their OSes.)
But, I do agree that Google gets naturally positive response and Microsoft gets automatically negative response, even though many of their practices are quite similar.
Besides the security issues that other people will talk about, it's huge in terms of both RAM usage and storage, so if you have a low-end phone, that's quite significant. It can also be a major battery consumer.