1)Not necessarily. Something as simple as not enabling that code for a month after release would get it by reviews. They aren't reviewing source code, they're reviewing behaviors. Just like you don't speed when there's a cop right behind you you wouldn't connect when you're being watched
2)They ask for a lot of permissions because the permissions aren't fine grained enough, and because polsih requires it. For example I had an app that did sound effects when you tapped a key. The OEM requested that we turn off sounds when the user is in a call so they wouldn't play on the other end. This reasonable request required a new permission (CALL_STATE IIRC), which actually gave us much more info than we wanted (we got to find out when calls started, ended, and the connection number which we didn't need). But if you just looked at our permissions your reaction would be "why do you need to know who I'm calling"? We didn't there was just no way to request less info, we didn't even look at the number.
One of the big problems was that Google redesigned the play store to be less scary and show fewer permissions. One of those was that any app could request internet permission without it showing up. That was just wrong.
What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.