The simple answer is no, they can't do that, because they can't do it today. Apps can't access files outside of their own app sandbox / directories without consent. That's the status quo already. The issue is that there's a coarse permission for a shared external storage volume.
Conversation
Scoped Storage drops support for this coarse access control model and storage permission, similar to how it went away for external drives in Android 4.4. Users can still grant access to the entire storage volume since when the app requests access the user can choose any scope.
1
2
Apps have everything they need to avoid using the coarse, privacy-unfriendly storage permissions. The issue with the design is those coarse permissions existing at all. Apps demand them and aren't designed to work without them, and they store private data in that shared storage.
1
2
Scoped Storage removes those permissions and works around legacy apps designed around them by providing a scoped view of external storage, emulating the way it used to work. Removing it forces apps to use SAF (added in Android 4.4), where the user selects files/directories.
1
2
There are still some fairly coarse options available for things like media. An app like WhatsApp could decide to approach it by requesting Photos access and storing media in shared photo albums. It becomes much clear to users though, and it gives them granular control in general.
1
2
GrapheneOS's use of KVM is totally where my mind was going regarding compartmentalizing the apps. I can see scoped storage as a stopgap measure IF the android devs felt that upcoming device processors were not going to be powerful enough to run full-on KVM.
2
Then again this is kind of apples and oranges though since we're talking about app isolation as well as shared storage. If the KVM just provides a pass-through to shared storage without a storage management layer (think apparmor for storage), then we're back to square one.
2
Reminds me of the iOS vulnerability where apps were/are still writing sensitive user info to shared storage and others have the ability to scrape it. e.g. apps that were denied location services can scraper data saved saved by apps that did have access to location services.
1
For this kind of thing, it's definitely the app devs who are are not thinking about security enough while designing software (I'm assuming here the devs have the option of alternatively saving data to an app-specific memory area).
2
The reason this is called external storage is because it's not the usual internal storage. External is referring to it being outside of the app sandbox. Apps need to explicitly opt-in to it and can't access data stored by other apps without permission. That's not what's wrong.
1
1
What's wrong is that the OS supports the ability for apps to request access to the entirety of external storage, rather than using the fine-grained model of the Storage Access Framework. The point of Scoped Storage is to emulate the coarse legacy approach to get rid of it.