It's a pain, but the average user needs to start actually paying attention to app permissions.
Except the "average user" literally CANNOT understand the permissions being asked for.
That's why an up-front model for permissions is inherently broken. If an app sneaks in location in the set of permissions an "average user" will never see it. If it asks them if the flashlight app can have their location when they run it, or access to contacts - there's few people that would agree to that.