Arbitrary local reads from unprivileged apps is a "pretty plain threat" in terms of recent developments in security as a result of improvements to what we can secure. In a typical desktop OS, it's just the norm, but for mobile OSs we've moved the goal posts because we can. If we were talking about deploying a new OS or shipping new devices, then yes, it would be absolutely unacceptable, but we're talking about keeping smartphones past their support alive, so I think it's fair to say at that point we expect the user to only install a small set of critical applications on the device. If what the user wants is a mobile game console to mess around with while also functioning as secure storage for sensitive documents, then yes, the user might need to rethink what's acceptable risk.

>they do a lot more than you seem to think.

I do mobile security research, I am well aware of what these devices do. The reason I cite stagefright vulnerabilities as an example is because stagefright is a library that has continued to have vulnerabilities well past the original set you're probably thinking I'm referring to, and vulnerabilities that we have seen exploited in practice. Are there any known worms exploiting the project zero bug you've linked? Because at least from what I've come across, an updated LineageOS install only running apps from F-Droid would not be vulnerable to any non-targeted attack in the wild I've heard of. (Not a rhetorical question, to be clear, it's entirely possible I missed something, and I would love to know more if my understanding it out of date.)