A file with sensitive-looking content/name was written to external (world-accessible) storage.
How it's exploited
Sensitive content landed on external/shared storage, which other apps can read (broadly on older Android, via media/documents APIs on newer). It also survives app uninstall.
Why it matters
Cross-app readable copies of private data, outside your app's sandbox and deletion lifecycle.
How to fix it
Write private data to internal storage (Context.filesDir) or scoped app-specific external dirs.
If exporting is a feature, encrypt the export or hand it off via the system share sheet instead of dropping files.