The article in Chris’ mail is misleading. This has nothing to do with normal apps having normal access to SD card contents. This deals with a specific issue, that was already patched:
Google issued a patch for the flaw via a Play Store update back in July, and a patch was then distributed to all Android partners.
That SD “issue” described in the article does not really apply: With blurred pics, any rogue app would have access to the same data it could afterwards access freely online. Including locations (which the article specifically worries about)
If those pics were not blurred, what additional info would that rogue app get?
Some faces of strangers’ and some car number plates?
That would be a problem if you could do that at scale, for all uploaded pics at once, or at least for an arbitrary pic on mapillary. But it’s only for that one user who is attacked, and I bet there is much more interesting info on his SD card than that.
The real privacy threat with unblurred pictures is not local storage, but uploading them unblurred to facebook. Where facebook themselves or blackmailed by some rogue 3-letter-agency could analyze them before blurring.
In the most benevolent interpretation, the mapillary team is using that fake SD threat to get funding for on-device blurring to underhandedly counter said real threat.
In the most evil interpretation, facebook wants to close up mapillary and thus needs to make sure pictures are never accessible outside their control.
In the most bland interpretation, there’s just some clueless middle manager somewhere in the command chain who needs some weird privacy checklist item checked.