This user obviously had location services enabled in the camera app that took the photo that he gave to Path. If location services were actually off, there would be no leak.
The point is^ that users don't (and couldn't be expected to) understand that location service permissions aren't transitive. They have gone to the options menu and said "No path, you may not use my location". The result is that path has still used their location. The steps from A to B and the technical steps taken are-- from a user's perspective-- irrelevant.
^I'm not an iOS user, so maybe the UI makes this all blindingly obvious, in which case I apologise and you can ignore my entire response.
