Android is a lot more sandboxed than desktop OSes, where you already have this situation: All software that runs can access your keyfile (hypothetically). I wouldn't be to worried. They still need access to you kdbx file, your password, and know that your keyfile is a keyfile.

Seems like a low risk unless your threat model includes nation state which performs a targeted attack against you.