is the privacy impacting sdk rule transitive?

Lets say i have an sdk that is not one of those listed, but it uses one of those listed. In this case, do i have to get the sdk im using to update their dependency to add the required signature and privacy manifest?

is the privacy impacting sdk rule transitive?
 
 
Q