hemingway Isn't the whole problem about permissions hidden in the fact that the Shell "app" lets rather call it a "system service" comes from AOSP itself?
On different devices (no GOS) this is same, you cannot to anything with it. I am not sure how you remove it or deny it in any way.
I mean I am not sure but to me it seems same way as any other shell is integrated in any other OS, like Windows, Linux, MacOS etc. it has access to almost anything on the OS unless there are some user and hardcoded protection rules in place.
Shell system service is not a product of GOS it is from AOSP I belive, which is a core service/element of the Android OS itself and thus it is like this.
I am again not sure if this is correct example, but for example on Windows or other OS there are some procedures, commands, subruttines, system processes that run in a blink of an eye using a Shell, but you are not able to see it becasue it is mostly hidden on the background.
Also I had this issue to understand this little wording detail but "app" on Android is not always "app" in a sence that many people undertstant it.
App is called basicly anything on Android (normall apps, or system "apps" or even fonts or gui elements like "Tear", "Cyrcle" you know when you can customize your GUI how your app icons are rounded etc. for example, those are under same category: "apps" but they are clearly not apps in that sense.
So the permision mechanism of OS over the "system apps" is not in place for this, because it is not an app in common sense but rather a system level service.