WTF?
So the NYT's "commissioned" an app developer to put together something incredibly trivial because it's a known fact (and presumably a design decision) that the "user data" (let's call it external SD, because it differs from /data/data, which is some what protected) is accessible to any app. This is newsworthy?
How else are apps like Photoshop, Facebook, Twitter, Dropbox, etc going to gain access to your photos for retouching/uploading? Yes, you could have them encrypted on external SD with an API and explicit permission set for accessing them, but then you wouldn't be able to access them when you connect your phone via USB mass storage, which would be an incredible inconvenience.
I have several different video and/or music players on my Android devices, and they can all access my stored videos/MP3s, which is what I want to be able to do. On my wife's iPad, I accidentally loaded some non-video files into the walled garden of her CinePlayerX app, which I'm now completely unable to delete because they don't appear in the file list of the app.
Sometimes we have to balance the needs of security with convenience, just as we do in real life. I'm not going to be taking naked pictures of myself, or copies of state secrets on my phone, so if they somehow end up on a public website, I don't particularly care.
If I were to do something that required more security, I would be taking the appropriate steps to safeguard my data.