Yeah, I can see a definite need for this behavior, it would be nice if android required separate permission to access mic & camera while the screen is locked; if firefox additionally requested that permission per-site.

Sure some may want this behavior, but I think most will not: it's unexpected.

I think it's probably more complex than that. It's either unexpected or expected depending on what you're trying to do, as shown by the cases mentioned here in the comments. You want to record something but you want your phone in your pocket (and locked, so you don't accidentally touch something). You want to use it as a baby monitor for a room. Your in a conference meeting call but in your car without a charger, so would prefer to not waste battery on the screen. Those are all cases where if you were were actively using the camera and locked the phone, you might reasonably expect the camera to continue working as it seems a use case people would have.

At the same time, there's the desire to know that when your phone is not in active use (i.e. locked) it's not recording you.

I think this is a textbook case of where our expectations are contextual, and conflicting. A naive adherence to one expectation or the other will leave people unhappy. Perhaps then, a less naive behavior (prompting on lock, a visual indicator of any recording, etc) is sufficient.

There is a visual indicator Firefox provides an Android notification that appears when the camera and/or the mic is in use.

By visual indicator, I specifically mean a visual indicator that showed when your phone is locked, and the screen may be off (like an LED, as iOS is apparently enabling). To be clear, that's not only not an app's responsibility, and in fact it should not be something an app can change at all, so I don't really think Firefox should worry about changing how it indicates this.

Because part of this has to do with security/privacy and at the device level, this is really something Android needs to tackle. None of the solutions I proposed are really appropriate for an application, since that would imply an application has control over them, and they are useful only if an application can't change them so you can have assurance they work as expected.

This is less an issue of trusting Firefox, which I do (for the most part, but it does have a large security surface to be aware of since it runs remote code), and more an issue of trusting something like Zoom or Tik Tok, which I don't really.