"W3C specifications do not specify any policy do not discuss any risks associated with this"
Perhaps because they feel that mfg should
a) Be aware of the risks, because why should customers buy from them.
b) Be free to implement whatever view of privacy they think fit.
Unfortunately so far it seems most mfg privacy policy is not to bother with giving the customer any.
Of course that maybe because IRL phone mfg sell to networks, not end users so feel the network is their customer.
Except for that new UK one El Reg reviewed a little while ago that seems to have quite a good one for stopping apps asking for stupid amounts of data for the (very) dubious privilege of running their (usually) shoddily written code.