Also there's not really any good justification for the amount of data sent with the AGPS request. It can be a super plain HTTPS request with nothing else, instead of sending basically all of the tracking data from the device, including from what I can tell the IMEI which google doesn't even let app developers access anymore.
There is no private data in the request. The request is HTTP and authors could have analyzed them and discovered there is nothing in them. Instead, they published a list of things that Qualcomm privacy policy could include.
Do you have an actual copy of a example request (with all headers) from an manufacturer's ROM? There's a lot of discussion but no-one has actually posted the full HTTP request, but there is a lot of stuff which indicates there might be a lot more information in the request on official ROMs (especially those using qualcomm's daemon). I know grapheneOS keeps it to the bare minimum required.
The response post I was reading (and got posted here) didn't include any details. I can't tell if they actually looked at the response or were depending on someone else. But that is better than the original article that didn't even look.
Why would you expect any private data to be sent when requesting static file? That would slow down both the client and server.
I don't know why they would do it, apart from the obvious that it allows some tracking. Here's some more detail I managed to find on it (from /e/OS development): https://gitlab.e.foundation/e/backlog/-/issues/5765 . At least it seems the IMEI is not included (at least in this specific example), but a serial number and a bunch of other information about the phone is.
