If nothing else, no photos is likely blocked permissions, but if there are no photos, contacts, location, health data, etc the sum of those parts is a very strong signal.
I suppose they could select a random location within the country/state. Even select it with population weight so that the app would struggle to infer if it was being spoofed. As with any spoofing, it would be necessary to store some state for each app, and generate locations similar to the last one (but not too similar. Random weighted walk maybe, weighted towards some randomly chosen "home" and "work" and hangout places, ideally based at actual buildings in the right districts?)
If you want to go even harder you could try to do the same with images. Generate some basic images of typical snapshot scenes with some AI model, and further postprocess the pixel data to try and give it a statistical distribution that looks like a real camera rather than AI. Add some realistic EXIF too. Doing this on demand may be quite expensive, so the phone could pre-fill a cache of fresh images during quiet hours or something
This all sounds very excessive, but I will give Apple credit and say they're one company who I could actually see going to these lengths if they decided they wanted it
Almost certainly isn't good enough if your app has tens of thousands of users, what if someone got a new device and didn't restore a backup? I've met many people who wouldn't know how to transfer data from an old device