They can ask for access to their own directory on iCloud, or arbitrary files on the iCloud Drive. They cannot ask for access to other directories than their own on the device, sandboxing is rather strict.

It’s still not ideal; mobile platforms are not designed to protect you from state actors.