There are very straightforward solutions, depending on the threat model. For example, the app could send VW a private key every day, and VW would send that key to the car. Then the car sends periodic location reports, encrypted to that key. VW can, upon request, send the report to the app, which decrypts it. But VW can’t decrypt the report itself, so they don’t know the location of the car. Also, it’s forward secure in the sense that a leak of VW’s database is entirely useless after a day.
Otherwise, if there is no pre-existing private channel, the key (which by the way would have to be the public key, not the private key) could be switched out by VW acting as a man-in-the-middle, allowing it to access all encrypted content going through it.
The same is true for Apple. There are parts of the protocol or the pairing where you have to trust Apple, either their servers, or if the establishment happens locally via bluetooth or similar, their software that runs on the local devices.
It would also introduce a lot of additional failure modes.
Doable but not exactly trivial.
