Best i can tell, quite a few requested permissions do not come from the developer. Instead it is the defaults of some framework or other the developer used to handle some of the nitty gritty details, like the ads.
This is one of those weaknesses about 3rd party dependencies on Android. Unless business and product teams value user privacy and permissions, they usually could care less than vendor X's library requires permissions to read phone state or contacts when your app itself doesn't need it. Esp. given that iOS treats permissions differently, the distinction is often ignored in favor of whatever iOS does. To those managers, the fact that Android doesn't ask the user about using a permission is a happy coincidence.
Another angle being missed is that Android won't auto-update apps if they have new permissions (modulo some minor details). The developers I worked with always added more permissions to their initial app versions for things they weren't using, but might in the future.
Still, with the latest change in permissions handling in Play, it will happily auto-update an app if the new permission(s) are in the same category as a previous one...
