Google was aware of this problem and it was busy improving the Android operating system and its security and user privacy until 2015, when Android Marshmallow (6.0) was launched. Among other features, there were runtime permissions, which asked users to allow/deny permissions during the app session to better understand the context of why the app was requesting that particular permission. The SYSTEM_ALERT_WINDOW was included in a list of very dangerous permissions which showed a full screen window to ask for the permission instead of the normal permission dialog.

The SYSTEM_ALERT_WINDOW permission screen

This proved to be a good feature for both users and app developers. Almost after a year in May 2016, some developers started noticing that the SYSTEM_ALERT_WINDOW permission is auto granted in some apps like Facebook Messenger, Evernote, Pocket etc. while other apps were showing the permission screen to its users and asking them to grant it.

Partially this was because of the target API level set for their apps by developers. For example, if some app is targeting API Level 22 or lower, then all permissions including SYSTEM_ALERT_WINDOW are granted at the install time by Google Play. Meanwhile apps targeting API Level 23 or more will request the permissions during the app session. But according to Google Play policies, any new app cannot target two levels below the current stable API level. At the time of writing this article, Android 10 (API Level 29) is the current version, so all new apps must target at least API level 28 or later. There’s no way developers can target lower API levels to grant all permissions at the install time.

So, how were these big apps such as Messenger or Evernote auto granting, not a simple but very dangerous permission, like SYSTEM_ALERT_WINDOW without users even knowing? Developers started asking these kinds of questions through Google's Issue Tracker and Google finally answered, quoting from https://issuetracker.google.com/issues/37119304:

This is an intended behavior to allow popular apps to keep working until we have an alternative APIs in the platform for these apps to migrate.

But what did Google mean by “popular apps”? Does having 1 million downloads make an app “popular”? Or how about 50 million downloads? Turns out you need to ask Google to review your app in more detail, if you want it to have auto grant access to not only SYSTEM_ALERT_WINDOW but other things like SMS/Call logs access. You can submit your request using the form available at this link.