Yes, it could happen.
If you open Activity Monitor, view the apps list, right click the headers, and add the sandboxed column. Any app which isn't sandboxed could access your files pretty much at will (not system files or files you don't have access to, but yours) and upload them.
Mac App Store Apps are required to be sandboxed, or else to explain to Apple why they need to not be sandboxed. If there's a good reason and it's not doing anything malicious like you described, then Apple will approve it. If there's not a good reason, or it does malicious things, then Apple doesn't allow it in the App Store.
As a further layer of security, Apps not distributed through the Mac App Store can be signed by developers. GateKeeper by default will prevent you from running unsigned apps, so you'd know if it was disabled because you would have manually done it yourself. Signed apps could be malicious and not sandboxed (because Apple doesn't review them or anything). You can report an app if you finds it's doing malicious things, and Apple will disable that developer's signature so that any app the developer signs is blocked from running.
Even if the app isn't signed, you can still report it to Apple and they can disable that specific version of that specific app from running (but whoever made it wouldn't be known, so they could just make a new app which is just as bad and release it and it wouldn't be disabled until someone else reports it.
To summarize:
- Apps you install can't access files you can't access (unless you provided it with the admin password at some point... Or don't have an admin password)
- Apps from the App Store are generally sandboxed so they can't access arbitrary files, or at least reviewed by Apple to make sure they don't do bad things.
- GateKeeper keeps you from running unsigned apps by default. (Only available in 10.8, Mountain Lion, and newer)
- Report a signed app > all apps signed by that developer are blocked on all macs.
- Report an unsigned app > that app is disabled on all macs.
