1. In order to achieve this functionality, the app explicitly requires permission to receive SMS [1] [2]
2. I agree that the general population likely isn't fully aware of the implications of granting permissions for such things. Having said that, I think that privacy/security/transparency is one of the things constantly being worked on with subsequent Android OS updates [3] [4], and I think that things are getting better.
Personally, I don't grant access to sensors like microphone/camera/location to apps that I don't want using them (most apps), and I think people should be aware of potential hazards here. Then again, people are openly inviting Amazon Alexa and Google Home into their homes ...
On the other hand, as a developer I like having the ability to build this, for me, and potentially for others who find use for what I wrote, with full transparency/visibility into the source.
