From the market place, users can view what capabilities the app requires. If a user is concerned about an app's capabilities - say a Music app that requires access to your Documents Library and webcam - then the user can make a decision prior to downloading
the app to not install the app.
An installed app only has the capabilities declared in it's manifest. An installed app that requires access outside those capabilities - using the same example of a Music app that wants access to the Documents Library - then the app must "ask" for access
to that location via the File Picker. The user is the one making a decision here to either deny or grant access to the app.