My understanding of the permissions is this -
The app (say, Facebook Messenger) wants to use a "hook" (or API) into the contacts. In order for that to work, it needs to declare a need for the contacts permission. I believe, by adding the hook, it's automatically adding the declaration for the permission. Now, this does not stop someone from denying that permission once the app is installed (and breaking some functionality of the app), but in order to not have the app declare the need for it you would actually have to re-write the code to not have that hook to the contacts app in any way.
I'm not a developer but this seems, logically, to be the way it would, or should, work.