Hi @Roboe, thanks a million for the comprehensive answer! Working in IT for ~ 20 year now, I have long given up for even hoping for documentation of this quality.
I more or less was aware of the Android permission system introduced with MM and I also knew Privacy Guard, but missed the background on how the latter worked. So your explanations on that are very helpful and more than welcome! 
Some more remarks from my side:
You do, at least I know those from CM11 I ran on my SGS1 that I used before my FP2.
That’s the part that I missed, I was assuming that also Privacy Guard would just remove/reject the permission in general. We totally agree on the “clever” part. 
…which IMO is not GDPR compliant; in Germany there was a court decision that stated likewise in the case of an 11-year-old using WA (German source: Landgericht Bad Hersfeld, Aktenzeichen F 111/17 EASO). Independently of that, I personally believe I would have to ask every person I keep in my contacts list if they mind me to upload their data to the servers of an American company.
I don’t plan to, as I stated, the privacy topic is only one that keeps me from doing so. I think we can agree to summarize the other ones under
Additional take-away from your explanations:
So the second scenario is nothing that can (currently) be achieved with Privacy Guard. This will continue to be a scenario for XPrivacy.
Thanks again for your great and very comprehensive elaboration on this topic!
@moderators: Do we have an appropriate badge (or can introduce one) for Roboe, since this is definitively not the first post of excellent quality that he’s donating to this community.
I’m thinking of something like “Top contributor” or maybe anything between “Fairphoner of the month” and “Forum member of the century”…