Yes, an app is required to trigger the surveillance since beacons are one-way, but not really a 'malicious' app install. If tomorrow candy crush/angry birds want to tap into the gimbal database, well congratulations. Worst, if FB/Google want to tap into the database, nearly every android/iOS phone with BLE on will be a target due to their massive app install base.

What about beacons being not so one-way? Assuming you enabled the beacon on your own phone for whatever reason (some fancy app), then information can be gathered easily without you giving permission or noticing at all.

Absolutely true, but this is also possible with just about every other technology today. "Bad Apps" can report information about Beacons, GPS, or any other sensor on the phone they have access to.

Hm, maybe not so easily with other technologies. GPS is a passive thing and you can select which apps can use it. Beyond that or outside of your phone nobody will be able to register your location.

WiFi is active and yes, wiretapping is possible, at least for locating you. Hardware/software for doing this though is not readily available as far as I can tell.

Finally, iBeacons: very simple software running on a passive BLE device that simply records all BLE UUIDs passing by, that's all!