No applications installed through the Mac App Store have permission to read your documents unless you explicitly allow that. And you can revoke that access at any time by going to System Preferences… > Security & Privacy > Privacy > Files & Folders.

> They all have permission to upload your entire documents folder to the internet

They do not need to, and unlike "webapps" there isn't a remote server that can change the code that you are running at any moment.

Your response entirely fails to address the parent's concern about security. It's like responding to a RCE in your backend with "yeah it's there but we'll trust the users to not use it"

I do not understand your example. It would not be the user triggering the RCE but rather a 3rd party. In addition I do not see how it fails to address their concern.