Just to clarify, it’s not just that there’s an Android API to ask for permissions that apps use to show a consistent UI: that’s the way that apps actually get access to whatever feature they’re requesting, and if they don’t go through that API they don’t get access. An app can’t just decide in an update that it wants access to contacts without asking. The Android API to get contact info checks the app requesting the info and won’t give it anything if the user hasn’t explicitly granted that permission to that app. Most commonly when something like this comes up it’s a permission that was granted in the set of permissions requested when the app was installed and the user just skipped through the prompt and they don’t realize they granted access to contacts.

For the curious, here’s the Android developer guide page that describes how Contacts permissions work for app authors. And the page describing permissions in general, how to request, etc.

Edit to add: You can go into the settings for the app (not in the app itself, but in the app manager under your device settings, usually also accessible by holding on the app’s launcher icon and going to Info) and you can remove permissions that you’ve granted previously. So if you’re worried about this you can yank the Contacts permissions at the OS level and it doesn’t matter what the Discord settings are, they won’t be able to access your contacts anymore.

Access to Contacts has to go through the Android API, which means the user has to explicitly grant permission for Discord to access that specific functionality. That’s what the comment you’re replying to meant: access to contacts is protected at the operating system level and they’ve seen the source code on the OS side. Permissions might have been granted by the user reflexively, just muscle memory, when setting up Discord, but it absolutely had to have happened if Sync Contacts was enabled. Unless there’s some kind of bug where Discord enables the in-app setting without actually having the permissions to access contacts–I guess that could be possible. It couldn’t actually see any contact info in that instance, but it would try. If I go into Discord settings and try to enable the Sync Contacts option my phone displays the built-in Android permissions prompt with the text “Allow Discord to access your contacts?”

The author explicitly says that they didn’t tamper with headers or user agent. I’m neutral/not knowledgeable on the rest of your comment, but wanted to clarify that point.