1) It's a system app, and thus has permission to "legally" suppress the notification. This can be a problem for pre-installed third-party apps. But if your phone doesn't have those, you're fine. (More or less; I don't love the idea that system apps can suppress the notification, period.)
2) It's an app that you've explicitly granted permission to draw over top of other apps. Which is a permission that's hard to accidentally grant, and is a permission that you shouldn't grant to any app, unless you super super super super trust it.
Seems like kinda a nothingburger?
20/23 apps are Google, OnePlus, or Android System apps. I never knew so many of them had this permission!
Yep, it's a nothingburger (which also explains why it's not filed through a security disclosure and getting a CVE).
Just declaring draw over apps permission will also kick you into a much more rigorous Play Store review if you try to publish the app.
It's something most of us knew already, but it's just another reason why it's a bad idea to buy dirt cheap crapware-subsidized phones, and why it's better to buy phones through electronics retailers or from the manufacturer and to steer clear of purchasing through carriers.
Sidenote: I really hope Android doesn't lose the ability to do things like these overlay windows.
These types of "power user" features are often where innovation happens. It makes me sad when flexible general purpose APIs are replaced with locked down, specific ones. (e.g. overlay windows API -> a specific "chat heads" API).
The new APIs might be fine for current use cases, but ensure that innovation terminates at whatever th OS vendor designed.
The point of the system overlay permission is to draw on top of everything else. Maybe Android should introduce some kind of overlay overlay overlay to overlay clipboard messages, but I think that would probably overcomplicate the API.
Perhaps it's better to instead send a notification when an application rendering a system overlay accesses the clipboard as well. That way, users closing out of the app can see that the application has accessed the clipboard.
Of course sufficiently privileged applications can dismiss notifications, but that requires even more difficult to attain permissions.
Doesn't have to be a replacement. It's good when you add specific APIs to do specific things that aren't very dangerous and then have the super dangerous one left as a risk signal. Innovation can still happen, common things get easier, and dangerous things get rarer. Feels pretty good to me.
Abuse from system apps is a potential threat but you can't really do much about those. System apps can bypass all manners of restrictions, I'm not sure if clipboard access is something to be particularly worried about when system apps can already read your entire SD card and bypass app firewalls/VPNs.
Settings > Apps > Special app access
