>This still relies on the legitimate app not storing the key they fetched in a public directory so the attacker can read it.

Obviously. Why would they do anything else? The point is that they can safely store the logs on an SD card under space constraints.