Most attacks on Devs are about fooling us into importing libraries that hide a callback to their server, exposing the user to lots of different attacks. Removing the Internet permission from your app blocks all callbacks. So, even if we get fooled into a lib, the app still does not leak information.