That's a huge leap that has nothing to do with the article. Yes, it's hypothetically possible that an attacker could circumvent location services. But that's not what's happening here.
Even if an attacker were to create an app that uses UWB to retrieve location, they'd still use location services to retrieve the data. It would still show up in the status bar. It would still require the user's consent.
I am not sure if there is a public API for UWB right now. I believe there is no public API yet because if there is the developers should be the first to notice this feature.
I know this is all theoretical but this is in the realm of possibilities given that iOS 13 is showing a few bugs right after its release. The attack that i am imagining is not on the UWB because that would be pointless but on the system process/apps that keeps on requesting location information. If i am not mistaken what Apple is trying to say is that location service is always on and is never turned off. What the system does is restrict all apps from accessing it except for the app or service that checks whether to turn off or on UWB depending on the region the device currently is on. With that an attacker then targets that system apps or service that keeps on requesting location information. If such attack is successful then a malicious app can actually monitor your location information even if it is restricted by the system.
Another issue is, while location service is running and providing location data to this system apps/service are data being saved locally even though they are not sent remotely? This is important because privacy does not only means sending private information remotely but saving private information locally. Like a GPS in your car. If you don't want someone to know where you have been you should totally turn off your cars GPS tracking system. Same with this issue, if someone steal your phone then opens it using FaceID by scanning a 3d print of your face (im not sure if its possible
) then does a forensic data/analysis on it then they will be able to map out where you have been and possibly what you have been doing. You would say this is a far fetched scenario or a James Bond or Jason Bourne like story but for a journalist this can be an issue specially if she/he is meeting a source and does not want to be track he/she should have the option to do so.
Anyway, I know its hard to swallow because you would think I am just bashing Apple or I am an Apple hater
but I am not, I dislike some of their practices and products but I like some of them too, but for me when it comes to data security and privacy I tend to be open minded, critical and avoid being bias.