Yeah, permission popups are absolutely a thing. The system for that is called Portals: https://docs.flatpak.org/en/latest/portal-api-reference.html. The idea is an application asks for the tightest sandbox it needs to run, and then uses the Portal API to request capabilities at runtime, such as access to specific files or permission to start automatically. The catch is you can’t just make legacy applications magically use an API like that: it requires work on both ends. But it’s certainly happening, bit by bit :)
For me, a big one is integration with email / calendar / contacts services that aren’t Google. I don’t know where Google dropped the ball here - Android was originally amazing for this kind of thing - but at some point they started bolting a lot of features specifically on top of Google accounts, and out of the box Android doesn’t even understand how to sync with CalDAV / CardDAV. So if I want my Nextcloud stuff to work at all I need to go and install a third party app. The third party app works great (I happily used DAVx5 for many years), but it’s ridiculous when iOS has all that integration officially supported and available straight out of the box. And it even does clever things, like suggesting contact details it learns from my (Fastmail) email. Android has that stuff, but it is completely on the cloud, and it only works if you give everything to Google.