@UFO
Apps
can read almost any data on your phone that's been put there by any app.
If the "contract" says they can read all data on your phone, they're
allowed to do it.
You're actually just betting that they won't.
Which is true for some apps, but not for all. And only one needs to take something you'd prefer to keep private and sell it on. For example, the only reason "highly personal" photos aren't captured and sold on is because there are so many people who share that kind of content free or via legal commercial sites that there's no money in it.
It's
possible for an app to ask for limited access, and it's
possible for a suitably framed lesser request in the "must accept" contract to be enforced. But many apps don't do this. Most "act" as though the possibility doesn't exist..
That doesn't exactly mean that when they ask for "everything" they'll misuse it. It
could be laziness, because it's a bit easier for the coders to be unconstrained. But not a
lot easier.
Something else that's 100% possible is giving users control over which components can access what data, with a nice App-like interface to manage it in a simple way. It isn't done because (a) hardly anyone actually cares, and (b) nobody on the "information thieves" side wants it.
Imagine this: There's a special data store on your phone for personal information you don't mind sharing.
You can also specify access rules for contacts, a special "public" photos storage area, etc
That's all Apps can get access to unless you explicitly specify otherwise.
There are literally hundreds of thousands of free apps that are
far more complex than this. From an operating system perspective it's trivial.
You'll know the theft has stopped when something like that is a standard smartphone OS feature.
BTW you can't blame the thieves. This is how they make money, and while it's immoral, it qualifies as "less bad than selling mild recreational substances", so clearly society as a whole has no right to criticize it on moral grounds. And users seem to prefer denial to privacy.
Denying the risks isn't wise though.