Yes the Pokemon app was harmless, but the risk of another less scrupulous app asking for the same permission is still a huge problem, because we now know just how easily people will click away their only safety check. "Fewer permissions must better" followed by "this app only needs one permission" is the perception when people don't actually read what they're doing, and malicious apps will take advantage of that now that they see it will work.

In the end, though, the fault is mixed.

1) the makers of the app got lazy in development and didn't undo their laziness before release. When security comes last in the dev process, and is missed in final release testing, that is a problem and it does reflect poorly on the company.

2) Google shouldn't have such an easy back-door permission like that to allow for a lazy development process. Everything should be white-listed yes/no. Android does this, Fire OS does this (it is a variation of Android), IOS does this, Amazon S3/AWS does this, iCloud access does this, Facebook does this.

Google short-cut it for the ease of their own developers, who one can now imply were at the time as lazy about security as Niantic's, and they've never cleaned up.

Google should be doing the same as the others for their own web cloud platform. The real security flaw of a single permission for universal access is on their end to lock down, permanently.