The concern (at least for me) wasn't that Niantic was doing anything nefarious, it was that if they didn't even know they were asking for full permission are they professional enough to prevent that full permission from being misused by a malicious actor? The app is so popular that an exploit could be a gold mine for black hats.

Glad to see Google patching the permissions server-side, as I bet a lot of people just checked the app out once out of curiosity and won't launch the updated version.

Seeing as the Android version only required the LOWEST possible Google permissions scope, my guess is someone checked the wrong box, or for some reason was doing something in development that required slightly more permissions and simply forgot to switch it back.