Here's how: Facebook requested those permissions on Android and scrapped them. Users (includes technical people like OP) just blindly click "Yes" on every pop up.
Even if you're super careful with your permission, Facebook can still construct a good profile of you via the people you're communicating with.
Android has not, until extremely recently, required apps to request permission for things at runtime. Android 5.1, which is what was in use here, I believe, did not. Installing Android apps for most of Android's lifetime required granting it all the permissions it asked for.
Yeah, I believe these two things are more or less part of the same major API change to how permissions are handled. Note that until like... this year, you could simply target older Android versions to prevent users denying your app's permissions.
It looks like Google's going to try to start forcing apps to comply with targeting requirements to get apps on the Play Store now. But this really is a "too little, too late" situation, IMHO. Billions of users, as Android team likes to brag about, are already compromised.
Even if you're super careful with your permission, Facebook can still construct a good profile of you via the people you're communicating with.