Because they use the default profile for SailJail. See:
The Sailfish OS application permissions are applicable only to sandboxed applications. Since Sailfish OS 4.4.0 all applications that do not specifically opt-out or define permissions are sandboxed automatically using a default profile.
Source: GitHub - sailfishos/sailjail-permissions
Theoretically, you’re right. It shouldn’t be trustworthy, but that means the app hasn’t been adapted to SailJail and it is usually abandoned.
Feel free to update this wiki: List of application affected by SailJail