This is for 2 reasons. One is that all non-classic snaps are already confined by AppArmor which denies access to things like /etc, /root, your home folder, etc. without an appropriate interface connected. Secondly, there is upcoming working on supporting portals that will allow a snap to attempt to access any file on the system and display a graphical prompt allowing you to allow that access. I’m not super familiar with how portals are implemented, but I know that work is underway and it will be the preferred way to provide snaps access to files going forward after it’s done as it does exactly what you want and provides the user a way to control what files are accessed by snaps as those files are attempted to be accessed. Of course not every snap will implement support for portals, but then it’s an adoption question.
Non-classic snaps are not allowed to read/write to any file in the home directory starting with a dot. 
Additionally, even if you do use a classic snap, you need to explicitly acknowledge you are installing a classic snap with the
--classic flag, and only developers that have been vetted are allowed to publish classic snaps.
The gnome-calculator snap (and to my knowledge all other pre-installed snaps) are all strictly confined (i.e. not classic) and hence are sandboxed by the snap confinement model detailed in this white paper. This means that they cannot access things like arbitrary files on the filesystem and also cannot arbitrarily access devices on the system, in the way I presume a keylogger would.
 These interfaces could be auto-connected however if a snap author requested auto-connection as per the snap declaration approval process
 Though now they can if the snap is vetted using the snap interface auto-connection approval process and uses the personal-files interface new in 2.37.