Do Google services have access to the camera/microphone if you don't give this permissions?

the answer is yes, unless you're on GrapheneOS. Google Services is a privileged app and therefore it can bypass permissions as it sees fit.

GrapheneOS (optionally) installs it as a unprivileged app, which you can restrict permissions to. Still, I wouldn't recommend installing it since they have extensive telemetry.

Isn't the telemetry neutered by not giving GSF network permissions (on grapheneos)?
- what's the purpose of not giving it network permissions? you won't be able to install apps, use push notifications or any other major functionality.
  
  I could be missing something, of course.
I wouldn't be so sure about the possibility of a bypass. I've heard that system applications have more privileges, but sandboxing is still active and permissions work for them.
- Wasn't there news a couple years ago that google tracked your location even if you had location turned off?
- I'm rooted with GSF, revoking some permissions forcibly from Play Services (most notably location access) causes the device to reboot, and the permission gets restored forcibly.
  
  This never used to happen previously (the permission used to get revoked successfully, and things like Google Timeline would act as if your device had disappeared despite location being enabled). I assume a background update implemented this permission recovery mechanism - i've since disabled play store on my device and slowly been culling off my usage of other Google apps
- There really should be no doubt that a system application can have unlimited and unrestricted access to everything, bypassing all security and sand boxing. That is the extent of the meaning of system app. It's like having root privileges, admin access.
  
  Whether Google makes use of it or not is something else, but it could be exploiting that privilege and with Google's history and the fact that the distributed version of android which contains the google services pre installed is a custom version of android of which you'll never see the source code, you really have to ask yourself.
  
  That's why GrapheneOS is so important: you are the user and you get to control how Android works: the way it actually should, where if you install google services (which is up to you!) it gets installed under your terms and with your permissions.
  
  Edit: correcting a misinformed message and the irrelevant followup. More clarification on system apps here: https://developer.android.com/guide/platform/
- It absolutely can. It took a screenshot of what I was doing without my permission. Only reason why I found out was cause it for a survey they were doing. So I wouldn't be surprised if they're doing it all the time without me knowing.
Wait, what? Do GrapheneOS have telemetry?
- No, they meant that Google Play Services has telemetry.
  
  Basically, GrapheneOS makes it much safer to use Google Play Services if you have to use it, though it still isn't entirely safe and should generally be avoided where possible.

So these are the permissions google service has.

network (didnt had enough space on screen)

Thanks. Wouldn't be able to check it myself, because of using microG :D

Everyone talk about GrapheneOS. But CalyxOS is very good too.

"Good" really depends on what you're after. Do not use CalyxOS if you care about security. They are significantly behind in implementing security patches, regularly. You are in some way more vulnerable with CalyxOS than regular android on a pixel because you would get security updates faster on pixel. Additionally, the network permission of GrapheneOS is a paramount security and privacy feature. Also, GrapheneOS takes over all location services requests even if you use google services, making sure that even if google services are installed, google only gets location info whenever the location request is for the google services, not all/any services or apps on your phone. There are additional points too, but CalyxOS, while I don't want to bash them, should not be considered a secure OS the same way GraphemeOS is.
- The problem with Graphene os is that it is unethical. I want my device to be fully free or as free as it possibly can be. Graphene doesn't see to care about that.
  
  Calyx is a bit better because it is a little stricter on software. Probably the best solution is to only install a apps you need and only get them from F-droid.
What about DivestOS? Only option for a private system when you don't have a Pixel
- Divest os is much more free in terms of software freedom. They minimize binary blobs and keep everything clean. They also maintain mull browser.
Everyone talks about custom ROMs, it's so fucking annoying not a single one is supported on my Motorola g73. Next phone I'm getting is a fairphone, and I'll dual boot a custom Android ROM and postmarket OS.
- Excuse me, dual boot? Is that still a thing?
I recommend checking this table out.

CalyxOS misses the mark imo. It does a couple things well (such as its improved Dialer app, and the ability for hotspots/tethered devices to be able to use the phone's VPN/Tor) that I hope to see other projects adopt, but beyond that, it just doesn't seem to stack up.

I'm not trying to bash them or anything because at the end of the day, they clearly have good intentions which I can respect, but I do hope they improve on a lot of things, because in its current state, CalyxOS just doesn't even compare to GrapheneOS or DivestOS.
- The only thing which stop me to install Graphene is that I need some apps that I'm not sure will work with this os
definetly :)

In order to have google apps and google services on an android installation that doesn't have them yet, you need to sideload them. LineageOS has a list of GApps zips and here's an example of how to install them for a FairPhone running LineageOS.

If you look into the zip /system/system_ext/etc/permissions/privapp-permissions-google-system-ext.xml, you can see all the permissions given to it a system application.

android.permission.RECOVERY, android.permission.MANAGE_USERS, android.permission.INTERACT_ACROSS_USERS stand out the most. These permissions allow the phone to be started, arbitrary apps to be installed and users to be created with new permissions.

Google Services doesn't need to have access to camera or any other component as it can install whatever it likes that has access to those.

Let's not kid ourselves, if you have Google Services installed, you have a rootkit installed with a bunch of proprietary code.

~~Here's the entire file for reference and you can look up each permission individually to see what access will be given.~~ lemmy doesn't handle XML in triple backticks well (at all).

How well do you think Graphene's sandboxed play services alleviates these concerns?
Thanks for the detailed response. Creating/interacting between new users is a serious opportunity for permission bypass. Content of the file won't load for some reason, but still :)

I am still not sure if sandbox is completely disabled for system applications. No comments with real arguments. But thank you, guys :)