I'll point to this next time someone questions my stallman-esque stance.
What's full-disk encryption do if Facebook et al are going to funnel the data off your devices anyways?
Serious answer: the threat model FDE aims to address is cold physical attacks. That's it, everything hot (or even warm) and online is outside of scope. Facebook would be more akin in class to gray non-persistent malware, although they aren't actually malware in the strict sense and do face some bounds from the law which should make filtering and keeping them off a sensitive system more straightforward. At any rate, FDE is a good idea for a bunch of reasons given how cheap it is at this point, but it's just one of many needed pieces.
More fundamentally and beyond Facebook specifically, we need better ways to control data exfiltration and transfers from our datastores to and between software and services, period. Whitelisting should be the default. Data channels like clipboard APIs should either simply not exist at all or at least require explicit user per-application sign off (and preferably even then with restrictions like requiring code signatures, timeout options etc). While single purpose hacks are generally not justified, the specific instance of passwords & keys might be important enough in reality to justify operating systems providing some much more explicit "secure pasteboard" system that is far more heavily mediated.
What option are you referring to?
We have more-or-less mandatory full-disk encryption at work (outsourced software development) in order to prevent source code and data access in case the dev boxes are confiscated by some third-party agency. I believe it's still a good measure for this case, if you don't blatantly upload the data into the internets. (And have a religious prescription on keeping any work-related data off your personal devices.)
Ironically, at the same time, most of our people use Google Drive to share project docs and discuss most of the work-related stuff via Skype. Though, I guess the disk encryption is there for plausible legal deniability as well.
Since you mention it, full-disk encryption does nothing if your computer is on or asleep, which is the case for most users most of the time. It only works if your computer is off.
The disk is not encrypted when the computer is asleep. There may be other security mechanisms that may work, such as an OS-level password on wakeup, but not FDE.
(The details of FDE are a bit more complex, but practically the above is true.)
What exploits am I missing?
I find protecting my data from the marketing parasite is a constant compromise with usability.
If I remember correctly, the facebook iOS app would also auto-prefill a new post draft for you if it found an URL in the pasteboard?
On android any app can listen for clipboard events without permission. It's very possible that the Android Facebook app is scraping this data.
It also happens that the Facebook app is pre installed on Samsung devices and cant be removed.
It can be disabled, which is as good as removed. Now if Samsungs own apps could be disabled, I would be happier.
The customisation OEMs do to Android reminds me of the old, bad, days of Windows XP.
Anyway, what I want to say is that there are legitimate uses for nearly every API. Some should be protected with permissions and so on, but once an API is there, you should always assume it's central to someone's workflow.
Maybe a solution would be to have a manual button "share clipboard with the phone", instead of automatically sharing the clipboard.
"This recognition software prevents the app from scraping text that does not look like a URL, like passwords or emails, Harrison said. It’s not a perfect system, though: broken or fake links like “FacebookHasAccessToMyData.com” are still automatically recommended for posts."
though to be fair, this is an issue with most OSs.
A lot of circumstantial evidence for extreme pervasive surveillance by Facebook apps is mounting.
Edit: another possibility is that other apps are doing the monitoring and selling the data to Facebook or to data brokers that then sell it to Facebook. Lots of "free" apps ask for every permission.
In any case security researchers now have something new to tear apart in 2018.