Trashed images in a vault can be seen without authentication

[rusty-snake]

Describe the bug

Trashed images in a vault can be seen without authentication.

AFAIK Vaults are implemented by moving the image into the internal storage of Aves that can only be accessed by Aves (and the OS, any app given root and maybe adb IDK). However trashing images in a vault move them to the shared-internal storage (under /Android/data) where they can be seen with Files w/o Authentication.

To Reproduce Steps to reproduce the behavior:

1. Create a vault (leave anything on default)
2. Move any image to it
3. Trash the image
4. Open Files and move to /Android/data/<aves app id>/files/trash
5. Tab on the image

Expected behavior

Either trashed images in a vault are kept in the internal storage or behavior is more transparent.

Screenshots

n/a

System information and logs:

On request if necessary.

Additional context

Vaults have a option to disable the trash for them.

[deckerst]

All true. I got lazy at the time but i should address this.

Out of curiosity, does your version of Android allow you to access what's in /Android/data/ from the device itself? On my device (Samsung S10e with Android 12), i get this:

[rusty-snake]

Out of curiosity, does your version of Android allow you to access what's in /Android/data/ from the device itself?

No, except for the system files app. So it's really a "friend uses device" issue and not "app with xy permission" issue.

And btw, it's GrapheneOS on a Pixel 6 (Android 13 still).