But if I install an app that asks for it on an Android 4.0 device, the app will install without any warnings. If the device is then upgraded to 4.2, the app will silently get the "Across_users" permission activated. So now we have a user-installed app which has a permission that it could never legitimately have that lets it bypass security and the sandbox, and the user will be unaware of the problem.
Mod Parent UP.
That is EXACTLY it in a nutshell. Perfectly described.
Pretty devious way for someone like the NSA (or a Prince from Nairobi) to get their hooks into your Android.