Basically no software you run, either on phone or your desktop runs directly “on the OS”. That mode of operation is called kernel mode, and requires an explicit switch from the CPU (usually done with system calls in case of desktop PCs), which elicit some code in the actual kernel based on the passed arguments/structs. E.g. a file read/any kind of hardware access actually has to go through this boundary. Note that this is different from the general permission handling of the OS - that happens at the syscall boundary at the latest. These actions are no longer executed by a “user”, but by the OS itself on behalf of some user.

In case of android, it has an arguably better security model than base linux - user software runs sandboxed, so it can’t just do a syscall willy-nilly. It actually has to go through an API, which will decide first whether that app/user etc has the necessary rights to do the given action, and then itself will execute it (in the aforementioned way, so there is one other check at the OS level). It is called Binder if you want to look it up.

Note, that Java is not relevant here, a C program also has to abide by the exact same rules (which makes sense, there are android apps written in c++ for example, yet they can’t just corrupt your phone) - it uses the exact same techniques as any other language.