And they will most likely crash if you do, because they are not expecting a SecurityException. I prefer the CyanogenMod way to just give out empty data, if a permission is not given by the user.
What you're calling the "CyanogenMod" way is actually what Google built, it's called AppOps. All CM did was expose it. The actual capability of permission revoking and handing out dummy data instead was all done by Google as part of AppOps and I assume that M is using that same system because it'd be silly not to.