Some apps need gyro details to determine if the app is being reverse engineered. The idea being if the device is static and not moving then it is been run in a virtual machine and being inspected.
I can see how it would be useful for invalidating data in analytics, seems like a bad choice of partner for an app promoting privacy though.
As an anti-analysis tool it seems like it's more likely to harm users (api is reporting incorrectly, sensor is faulty etc) than slow down reverse engineering much.
I am strangely reassured by the GDPR email I got from my VPN provider. They are in a EU country, so breaking the GDPR will have consequences. They state clearly what they store and what they are required to store. There is an actual company in an actual house and they are in a jurisdiction I understand. No shady parent companies and weird tax schemes to get money from Panama companies.
These kinds of VPN services have always seemed shady to me.
the nordvpn app for android is sending device data to multiple trackers.
It contains all the normal things you probably expect, screen size, manufacturer, uuids for advertising etc but also some strangely specific stuff.
This includes sensor data (Gyroscope, Accelerometer, etc)
from the json sent to "AppsFlyer":