Usually, with
internal storage,
we are aiming to prevent other apps from reading or writing our files.

However, as
Arne Swinnen points out,
there is another possibility: reading metadata about your files, such
as size and last-modified timestamp, or even their simple existence.
While reportedly this is fixed in Android 7.0, it is unclear how many
older devices will get the fix. Most likely, the answer is ���few���.

App developers should not assume that file metadata is protected. In
particular, do not generate internal storage filenames
based on private identifiers.
Arne Swinnen���s blog post points out that both Instagram and Facebook
do this, and particularly in the case of Instagram, it is possible for
a third-party app to find out the Instagram user ID through brute-force
techniques.