They can still access their own private area within external storage, which is fine for apps that just want to store large amounts of their own data, and they can use it for photos, video and music. There's just not any kind of general access to it anymore.
Yes, my interpretation is that that apps that simply used to use the READ/WRITE_EXTERNAL_STORAGE (runtime) permissions (which, if granted, implicitly give access to the whole storage, albeit possibly with some write access restrictions on removable SD cards) now instead need to explicitly ask the user to pick an allowed directory tree (or trees) using ACTION_OPEN_DOCUMENT_TREE.
So nothing that used to work should have become totally impossible now and instead of a simple yes/no choice users now could also answer "Yes, but only this directory", which should be nice, although it also means a slightly more complicated UX.
Of course Google also prefers you to use content://-URIs instead anyway. Those do indeed have the advantage that the receiving app doesn't require any special permissions because it simply uses the permissions granted by the app sending that intent, but at the same time they also have a number of issues that Google chooses to ignore. I've ranted about some of those here (https://hg.mozilla.org/mozilla-central/rev/9175cafb84bd), and the most important in my view is that content://-URIs as currently implemented totally break opening of locally stored HTML files (https://issuetracker.google.com/issues/77406791) and other similar content that implicitly depends on more than the one file that can be transmitted through the content://-URI intent.
