That’s an interesting question. Let me explain a bit:
If you open a file using Cryptomator for Android with an external app like Keepass, we share a link to a temporary copy of this file using a ContentProvider with the selected app. Before we share the link, we downloaded, decrypted and saved this file as temporary file to the internal storage of Cryptomator for Android on which only Cryptomator for Android have access to (internal storage is part of Android’s sand-boxing model). After that, as already mentioned, we share the link to this file using the content provider to the user selected app and only to this app.
As soon as we return to Cryptomator, we revoke the permission of the external app to access the file. If the vault has not been locked in the meantime, we check whether the file has been changed. If so, we publish these changes back to the cloud.
As soon as possible we delete the temporary file in the internal storage and also revoke the permission of the external app to access the file when the vault gets locked.
Side note: What the external app does with the contents of the file while the app has access to it is beyond our control. You should only open files in apps you trust - but that should be obvious.