I don't think it has to be explained why this is a potential problem. So then, it should be explained why this is such a great idea that the problems it creates are insignificant.
The Android permissions model is a mess and has been since day one, but not in the way most Slashdot geeks are up in arms about. When was the last time you actually looked at the full list of permissions? It's ridiculous. You have to be an Android developer to understand some of them. Many are pointless in the extreme: the result of simply associating every API with a permission whether it makes sense or not. Do I really need to know that an app might use the vibrator when I install it? A few permissions aren't even written in understandable English, so god knows what they become when translated into a language like Arabic or Chinese.
What's more, others (like the internet access permission) have never worked. People think it means "you can give this app personal data and it can't upload that data to the internet", but it never did that, because for example there are OS services that let you configure them to retrieve and process data from arbitrary URLs. The media player component does that. You can ask the OS to play music from a URL without having internet access permission, and it'll do it, so just put your personal data into the URL of your "music file" and the data gets uploaded. Heck even just invoking the web browser with a long mystery URL will let your internet-less app upload small amounts of data to the net. And there's no real way to fix any of this because any app that exposes services to other apps that involve downloading from a user-provided URL would end up breaking the "can't upload" model. So now they're hiding the internet access permission entirely, and good riddance.
Conclusion: the permissions framework was badly thought out. It was designed to let you know when apps might do something nasty to the OS, as a way to defend against aggressive apps that would otherwise do what they do on Windows and reconfigure the entire computer at install time. But there were no UI guidelines about how and when to use it, so it became a dumping ground for technical nonsense hardly any users understand. Worse, over time people's expectations have changed, and now some of them want it to be some all singing all dancing privacy framework that gives you a million knobs to tweak, even though it was never meant to be that.
Perhaps in future Android will actually get an all singing, all dancing privacy framework that does what people want, but it probably won't be a part of the app permissions system, which is meant to be for security. And it's not easy. A lot of the hacks people throw around in this thread could be easily detected and apps could just refuse to run entirely if you try and fool them.