Privacy controls are one of the reasons I like using custom ROMs. For example, CyanogenMod contains a privacy manager where you can disable access to certain items like accessing contacts or SMS messages. I used it recently on a Twitter update that wanted permissions that had nothing to do with tweets. I've also disabled location access for a couple of apps that use it only for advertising.
OmniROM, a new multi-phone firmware that's still in the early stages, also plans on adding a firewall so you can disable network connectivity for certain apps.
But yes, it is frustrating that Google haven't had this functionality as a baked-in part of Android. It should be a security layer in front of the various APIs: if you don't have access, you get returned dummy data (no contacts, no SMS messages, unknown location, etc).