I've decided to go with wiping to default. Installing GFW and Play store on main profile and trying out this sandboxed google as main source for apps.
So... I have installed a bunch of apps via google play store.
Unusual thing happening, but may be a good reason its like this from your end @GrapheneOS?
When I opened FairEmail and look at its app permissions. It has network... That's it.
But when I open the app and select a backup, to restore the settings. FairEmail has full access to my files (uploaded folders by USB, camera folder etc). No option to select a storage scope.
When looking at its disabled permissions, files isnt even an option.
Anyway, I restored a backup then composed an email adding an attachment. The file attached and sent.
Similar thing happening with KeePassDX it has full access to file system to see keepass safe files.
This also doesn't have files as a disabled permission in the app configuration, it only has Network and Sensors as programmable permissions. But accessed my folders.
Am I missing something? Or should these apps not have access to all of the file system unless a scope or permission has been granted by the user?