If you configured your iPhone to never allow an app to access your location, you may have been tracked anyway. Release notes for iOS 16.3 make mention of CVE-2023-23503, which Apple says may allow an app to bypass your privacy settings.

A blogger reports that an app from a Brazilian company iFood was able to track users' location even when they restricted the app's access. I haven't confirmed the report, but the screenshot seems convincing.

I wonder how long this vulnerability was in effect. There may have been massive amounts of location data that was collected without users suspecting a thing.

I'd ask Apple for details, but the company would never answer.

https://notes.ghed.in/posts/2023/ifood-bypassing-ios-privacy-location/