Sure if you never accept any external input of any sort and handles no user data or input, you can assume things are fine.
But if that random game should, say, fetch user avatars from the web, then untrusted input to a way out of date image decoding library would be a nice path to a remote code execution vulnerability.
Or if the app registers any intent handlers that other apps and websites can trigger, or establishes TLS connections to any third party site, or...
User installs the game, has fun, uninstalls or leaves it there where only they can run it.