First of all I want to thank the developers for their effort! I am really grateful that there are projects like graphene.

I stumbled upon an App called File Explorer that was capable to access files outside of the StorageScope which did contain nothing at all...

This is the link to the source: https://github.com/Raival-e/File-Explorer-Compose

What baffled me the most was that the directory and the files inside that the app was capable to see, that where not in the StorageScope, was the root directory of my phone. After that I panicked (I know maybe an overreaction, but I was getting paranoid because of the recent discussion about F-Droid, which was the installation method) and uninstalled it.

Maybe this is a bug, maybe this is a feature, I don't know. I just thought that it is worth to share my findings.

Maybe someone can explain, what and how is happening here?

Perhaps what you're looking at, and thinking is the app, is actually the Android File Picker?

    Dumdum no, the app displays content in the system (or product, not sure right now) partition, like priv-app, vdex files and so on. This is of course not affected by storage scopes.

      DeletedUser87
      So any app that was granted the permission to handle files can theoretically browse these directorys?
      Wouldn't that compromise security?

      I'm sorry if these are dumb questions, my understanding of the Android permission handling isn't the best.

          ParanoidAndroid there's nothing interesting in these directories. No user data ever goes there, so it's just the system APKs and config files. And not any app. If these apps are to be distributed through Google Play, they need to justify these permissions to not be removed by Google. So mostly limited to file managers and similar apps.
          The permission in question is android.permission.MANAGE_EXTERNAL_STORAGE btw.

              ParanoidAndroid try to create a file in that directory. If you can't, other (user installed) apps can't either. Spoiler: no need to try, it doesn't work anyway.