There are several broadcasts that are routinely sent soon after boot (network connectivity, bluetooth), so that applications can semi-reliably start themselves at boot without listening for BOOT_COMPLETED. That means that protecting BOOT_COMPLETED with a permission doesn't accomplish any significant security gain, and risks desensitizing users to the danger of approving permissions for applications.
I suggest that BOOT_COMPLETED be left open for applications to use without permission. -- Jean-Baptiste M. "JBQ" Queru Android Engineer, Google.
