For example, many apps, especially messenger and social network apps secretly or openly export contact lists from devices. Not only this is highly unethical, it might be a violation under GDPR because the information in the contact list is personal information and you must obtain the permission of that person for transferring the data abroad, not only the permission of the phone owner.
Almost every mobile app collects IMEI, a hardware identifier that allows governments and mobile companies to track the precise location of your phone. While such data are highly sensitive, they collect it without any second thought. Even a simple keyboard app was collecting all the data it could grab .
I can remember how Google was collecting WiFi data, without permission from access point owners. It was also collecting the traffic sent over WiFi .
It seems like the companies in every country have similar interests for users' data.
Also, I have a noname Chinese phone and when I examined its traffic with Wireshark, it was attempting to send data with IMEI to Chinese servers (luckily I had no SIM card inserted so it couldn't get a phone number). It was sending data to Google servers as well, but sadly they were encrypted with SSL and even installing a self-signed root certificate on the device didn't help to decode the contents.
So I think there should be better regulation of data collection. The general rule ("not a single byte" rule) should be that no data can be sent anywhere without explicit user's consent (not a phrase somewhere in the EULA). Also I think the manufacturers should put large warnings on the boxes, like the ones on the cigarette packs, like "This device sends all your private data to country X", "This IoT device will spy on you 24 hours a day", "This device uses a cloud in country Y", etc. So that the consumers better know who will spy on them.