That's probably not quite true. Take an app that the user is already likely to have given access to their photos, like Facebook. Create a malicious app with the same app identifiers, sign, and push to the user. At that point, the phone thinks it's Facebook, and should allow access.
That said, it'd be kind of unsubtle, and they'd probably get caught.
That said, it'd be kind of unsubtle, and they'd probably get caught.