Let me just start by saying that GrapheneOS is the best environment/OS to run these apps, so if you're going to use them anyway, it should be on GrapheneOS.
Beyond that, as you correctly mentioned, you should assume apps within the same profile can enumerate each other.
Furthermore, be aware that apps in the same profile can also communicate with each other if both apps consent to that.
With all that said, apps are still fully sandboxed and are fundamentally only going to have access to what you provide them. My rule is that if I'm allowing an app access to something, I'm trusting it to do the right thing with that data. I know that might be hard to do since these seem to be apps that you fundamentally distrust, but that's how it is.
If you don't want Whatsapp to have access to a specific contact, make sure that contact has not been added to the profile that Whatsapp will access the contacts of. Same thing with your files, although storage scopes makes it so you can have granular access over which folders/files an app can access, even if it wants access to everything.