Hey and welcome to the Cryptomator Community ,
The answer to this question highly depend on the security issue you referring to. In general, scoped-storage was introduced to Android in order to be able to granularly determine which folders, for example, the torch app is allowed to access. The main aim is to prevent this app from analyzing data, for example, without any benefit for the user or without the user being aware of it.
Cryptomator acquires this permission, for example, for the auto image upload. If an image file is stored somewhere, this image can be captured and uploaded. Cryptomator only saves files to the SD card if they are explicitly exported and the SD card is selected as destination. Otherwise, no data will get into the SD card that could be used by other apps that have also been granted this permission.
If you don’t trust Cryptomator itself, and since your vault is in the local storage from Cryptomator’s point of view, you can revoke the internet permission of the Cryptomator app so that even if Cryptomator would do something with your data, it would not be able to send the results.
Also, the app is open source, so another option would be to study the source code: GitHub - cryptomator/android: Cryptomator for Android