It doesn't have to lie: unfortunately libraries that are essentially a full application themselves (complete with their own permissions) are not uncommon on mobile.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing