F-droid's vulnerability scanner automatically identified a known vulnerability in the Simple File Manager app, It was in the PDFium library and the developer has been notified about it - https://github.com/SimpleMobileTools/Simple-File-Manager/issues/656
The vulnerability could be exploited with a .pdf payload.
Meanwhile the app is available in Google Play Store, Aren't play protect supposed to identify the vulnerability as well?
P.S. I have deep respect simple tools, for building high quality FOSS android apps.