I think those are features, not a bug.

Maybe for your threat model. Not mine.

Ah yes, getting access to your own data would be a massive problem, can you imagine such a world?! /s

Such data should be put in (or encrypted by) the hardware-backed keystore. You get to have full access to what the OS does, including seeing what data gets passed into this secure element for encryption or signing (you retain visibility and control), and yet secrets can't be leaked to you or an attacker who tries to extract those secrets

See e.g. your bank card: it's yours, you can choose where to stick it and what transactions it authorizes, but you can't get at the token that serves as proof of possession nor reset the PIN attempts counter. Your phone('s banking app) could work in the same way and has the hardware on board that makes this possible. So you see, it's a choice that you don't get to see what apps are doing and people are scared into believing that access to their own phone is bad. It's a matter of conflicting incentives on the vendor side, not technical risk

There is an API for backing up all app data that requires authorization. This is different from giving the user root, so any malicious can back up all app data at any time.

Which API do you mean?

adb backup

If you control the build, you should implement your own Backup Service. You should not just open all apps' data to any app.

Oh, that useless thing. I was very confused about something which can "app data that requires authorization" (thought maybe it's some Google service that extracts your secrets for device migrations) but you just mean the old adb backup that the security industry (that I'm part of, and fighting from within :p) destroyed in the name of people's own good

Like, yes this exists, but it doesn't back up half the things you need :(

"adb backup" is buggy and deprecated.

It's easier and more reliable to use adb root to rsync everything. No apps need root access that way.