Google requested access to all the friends pictures? Or is that just the limits of Android permission?
GrapheneOS has storage scopes that get between app and OS to be able to do what the author wants: only let the app know of the existence of specific files, not entire libraries.
This is a part of Android natively. I assume that since most users intend to use Google Photos to manage their photos that it would request access to all photos.
I don't believe that Google would upload your photos remotely that haven't been backed up through Google Photos. Technically it sounds like their privacy policy would allow photos uploaded to Google to be used for training a model within Photos (e.g., I suspect their Ask Photos AI was probably trained on Google Photos data?) but it states that it won't be used for Ads or for training models outside of Photos.
GrapheneOS has storage scopes that get between app and OS to be able to do what the author wants: only let the app know of the existence of specific files, not entire libraries.