> Your phone is transmitting every network you saved.

That's not how saved networks work, as far as I know. If you have a source saying otherwise, I would like to read it.

The WiFi spec has something called "active scanning" [0] for clients (as opposed to passive scanning, where the client listens for the periodic AP beacons). There's something called a "directed probe request" [1] that a client can send during active scanning which will contain the AP's SSID it's directed towards. Whether or not your particular device sends these direct probe requests is probably configurable and different per client. According to this [2] post, Android devices will sometimes send SSIDs in a scan, but not all of them and not always. Might be possible to find the logic here in the Android source code, I assume it's there somewhere.

[0]: https://www.wi-fi.org/knowledge-center/faq/what-are-passive-... [1]: https://dot11ap.wordpress.com/active-scanning-probes/ [2]: https://stackoverflow.com/questions/36264440/phone-doesnt-se...

Active scanning (where the client sends the SSID of an AP it's trying to connect to) is ironically limited to just hidden AP SSIDs.