I think that isn’t it, because it would be easy to say something like “we can’t verify the claim that it is privacy respecting so we should assume otherwise.” Which is a totally reasonable position to take.

I think it is important to be specific, clear, and to have evidence if one wants to call somebody a liar, though.

Or maybe it is something else, it could be interesting if they have some other definition of “privacy respecting” that precludes closed source apps, for example. That is, to “respect privacy” could be understood to actually be to provide users with verifiable evidence that their private info isn’t compromised. I think this isn’t the conventional definition definition of privacy respecting but I’m definitely ready to be pulled on-side if anybody starts pushing it.

There are ways to check what data is send trough the network...

Not really, not anymore. Many apps are now using certificate pinning to make it impossible for the user to to modify the trust store. This means that unless it is open source, it is very difficult for people to verify, even when they know very well what they are doing.

There's always a way, even if it's a lot more painful now! https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-00...

But you can verify that the app does not use the network at all, right?

Yes you could, although the bar is still a lot higher than if it's open source. You will have to fully re-test all possible paths in the app every time a new release is made if it's closed source. If it's open, you just need to look at the git log.

Plus if there is one legitimate network call, then this strategy is out since you can't know what that request contains. OP using in-app purchases, so I'm willing to be there's at least one network call in there.

If there is no network access permission at all, then I think we agree, that's a reasonable guarantee.

Interesting if in-app purchase is registered as the app network access vs Google Play services network access.