The "flaw" is that apps you explicitly gave permission to use the camera, can use it! All they've done in P is notice that they can tighten the permission even further so the app has to be in the foreground to use that permission.
The lack of this wasn't a vulnerability though. Mobile operating systems have been implementing finer grained permissions and security through their entire lifespans. For sure that trend will continue. If we spin every improvement to privacy controls as "fixing a vulnerability" it's just a form of crying wolf that will lead people to ignore security updates even more than they already do.