There is no permission required to access that information. Any app can, since API level 1, use public static final String MODEL to return the device model. Source.
Hence why accessing bank/e-commerce/social media via a web browser is almost always a better option. You’d lose some convenience without one tap payment, one tap checkout, notification etc etc but thats how privacy works, and at least you can obscure and faked the requested data via the browser and avoid that shenanigan alltogether.
Not really surprised by this . Expect half of the ecommerce platforms to be using your meta data to have differential pricing for the products.
Ecommerce websites/apps also use your location to charge you differentially on basis of where you live.