Good point. I guess that this never happened
Not in iOS6 it didn't. Apple started taking user security much more seriously in iOS6, anticipating a potential for such attacks. I always thought prior to that it was kind of nuts you could access the address book without permission - now you cannot.
Ah, the old "That vulnerability is completely theoretical" defense.
And yet it turns out to be true. The vulnerability is not real, only a theoretical possibility that relies on breaking the sandbox, which they have not done (using private API calls is not breaking out of the sandbox). You don't need to do anything sneaky in an app to do private API calls, but it remains true the sandbox is pretty secure and stops most REAL attacks.
You are crazy if you are more worried about a possible attack via an unknown hole in the sandbox, vs. very real attacks that are happening every day on Android...