What is the scariest permission that an app can have? (iOS and Android)

This depends on what you're trying to defend against. In my opinion (on GrapheneOS):

• "Accessibility" permission (i.e. full control of the device)
• "Network" permission
• "Modify system settings" permission
• "Install unknown apps" permission
• Any permission that allows apps to communicate with one another (such as a reduced sandbox, file permission, or app communication scopes)

Those are the only permissions that I can think of off the top of my head that could potentially allow an app to phone home. Turning off Wi-Fi for the device does little if the app also has the "Wi-Fi control" permission.