Do you mean a no-internet app (like this) could write data locally in a way that another internet-enabled app (in cahoots) could locally receive? Like a non-sandboxed storage area? Seems plausible.
yes that and internet permission can be added later and pushed with an update. Unless you are checking permissions after every update you will not know.
