Alas, no permissions doesn't fully mean no privacy intrusion/violation. For example, system permissions are not needed to track how many times you calculate 8008135, and upload that statistic together with your IP address to a public website.
But basic internet permission is given to all apps without asking.
But it really shouldn't be! And GrapheneOS, at least, always asks the user when installing apps that want network permission. If the user doesn't plan on using any network-based features of the app, they can simply decline.
I've discovered on Lineage that even denying an app internet permission, the app can apparently know when the device is online. That also shouldn't be possible, I think.