Recent versions of Android make it much more difficult for a background app to access the microphone. There will be a notification if any background app is using the mic or camera.
Google's "Now playing" feature constantly listens to what's going on in the background to show you what songs are playing. They claim this is done with a local database of song "fingerprints". The feature does not show the microphone indicator because: "...Now Playing is protected by Android's Private Compute Core..."
I'm not saying that other, non-google, app do this to my knowledge; but the fact that this is a thing is honestly a bit scary.
For what it's worth, I did just test it with airplane mode and it still correctly identified the song playing. So at the very least, it's not lying about using a local database to identify songs, at least when it is offline.
It also uses a cloud fingerprint database apparently according to the second paragraph:
If you turn on "Show search button on lock screen", each time you tap to search Google receives a short, digital audio fingerprint to identify what's playing.
Oh, I didn't notice this, my apologies. Turning on identify songs nearby reveals two new options, notifications and show search button. That show search button option must be new; I had identify nearby music on already since my last phone. Guess they added something new. My bad.
if this is used, or there is some whitelist that gives permission for background microphone use in voice interaction services, apps with tracking capabilities probably use some set of predefined keywords (hardcoded inside the app itself) and those can be triggered while being on standby/in background, when there is a match some pinging goes to outside servers...
What other apps use Google's "Android Private Compute Core" and therefore don't show mic or camera usage notifications? Not trying to sound all tinfoil hat here, but seriously: can apps other than those from Google use the "Android Private Compute Core"? Even if only Google's own apps can use the "Android Private Compute Core", we can't see the source code for Google's apps as (far as I know, anyway) they are not open source. If an app is not open source, we do not really know what the app is doing in the background; we'll just have to take them at their word.
Not to mention companies and their software (especially older versions) are commonly hacked. If there was a vulnerability, how long did my phone provide the hackers with unlimited access to those features to have them possibly try to extort me in real life.