Currently there is a new securityhole in Android.
If a Android device logs in a wlan access point, the attacker is be able to get access to your calender, contacts or in your picture folder.
I don't want to scare you. There must be serveral factors.
Factor #1: the attacker must be logged in the same access point like you are. For instance in an opened access point in a coffee shop.
Factor #2 : The synchronisation to google must be activated.
Factor #3: If there is a synchronisation the attacker must get the token from it. With this token he is able to get access to the Android device. So it's possible too to upload data to this device.
But who is really affected?
Every device which isn't upgraded to 2.3.4 or higher .Only the third party app Picasa (google isn't responsible for this app) has this security hole.
Those who do not currently use the latest version and still want to go use a free Wi-Fi, should'nt share data to google