If the OS (in this case, Android) wants to get your private information, you have no way to block it, because all info is managed by the OS.
Many people trust Android because its source code is open (although less than 0.01% users ever read the source code). So, there are no hidden backdoors. This is fundamentally different from iOS, or Windows.
But as a company, Google is still a profit-driven company. The greedy Wall Streets always want to maximize their profit. It may be evil sometimes, just like the example you mentioned.
Android assigns a unique user ID (UID) to each Android application and runs it as that user in a separate process. This makes it even more secure than Linux, at least theoretically.
So in Android, no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. By default, no application can read or write the user’s private data, and another application’s files, or access network. All apps by default can access their own files only, or files you set as globally readable/writable (e.g., video files you transferred to the SD card from your PC).
When you install a new app, it will let you know what kind of access it requires. Read/Write USB storage usually means read/write own files (generated by this app). If it wants to access camera, then your camera and photos taken by the camera will be accessible for this app.
Of course, you can manually set the permissions for each file/directory using ADB shell (you need familiar with Linux first).
So, in short, you can not prevent OS from “stealing” any info on your phone. But as Android is an open source project (although there are some critics on the licensing), unlikely, it will steal your personal info. This is one of the most valuable feature of Android. Unfortunately, most people just read it as free.
It is the Apps that may do bad things, theoretically including the apps built by Google. But most of the time, it is the third-party apps. For third-party apps, they always need ask for permissions to access personal info, your only choice is not to install it.
Please note, the Encrypt device or Encrypt SD is to protect your phone in case it is stolen or lost, not for apps.