1. Default storage is internal. Some apps might have settings allowing you to set them to store to the SD card, but android itself always uses internal storage.
2. All non-system storage is accessible to apps, as long as the particular folder, file, etc., has read permissions for user (the creator, which is the app that created it) and other. Some apps create folders with 'worldwide' permissions (read, write and execute for everyone), some limit them so much that you can't store anything in their folders using a different app.
"Is internal storage safe from app developers accessing it?" isn't a question that can be answered unless you can see the permissions for that folder. Some file managers can show permissions, or you can use a terminal app and use the ls -l command - rwx is read/write/execute permissions, the first group is user, the second is group, the third is other. The first letter for a folder is d for a directory, l for a link and - for a file.