Saving your fingerprint to a networked mobile device has to be a bad idea

Of course Android users don't care, but you just know that as soon as they have scanned their fingerprint with their device, Google *and* NSA will have it in their databases within 5 minutes. How does this now work in Sailfish X? Where and how is the fingerprint data saved, and how vulnerable is it to attack? Could it feasibly be extracted from the device by someone not in physical *or* in physical control of it?