Even something as degoogled as DivestOS will override your permissions and sensor settings to make the dialer app work in all circumstances. So who knows what proprietary apps that many people need might exploit this possibility.
Like you say, unless you physically disconnect the hardware, you can never now.
Apps can have denied permission from the system, but the operating system can toggle it back for itself or just lie to you.
The only defence agains manufacturer is having free software OS. And the only way against third-party malware are hardware switches.
That’s true, but you can always flash Lineage OS or just stock AOSP if there’s a version for your device
Even something as degoogled as DivestOS will override your permissions and sensor settings to make the dialer app work in all circumstances. So who knows what proprietary apps that many people need might exploit this possibility.
Like you say, unless you physically disconnect the hardware, you can never now.