That depends a lot on the nature of the leak.
First of all, "leaking" private information can sometimes be a misnomer. "Leaking" implies that it is happening on accident, though many applications actually harvest personal information by design.
Let's take an imaginary game on Android an iOS as an example. When you first start the game, it asks you to give it all permissions, and I guarantee you, a bunch of people will just click "allow". The application then regularly creates a HTTPS connection to the developer's server and uploads whatever private information it can get its hands on - contact info, clipboard content, private files, etc...
As a hacker, you could hope that the application is written badly and doesn't stop when a certificate error is encountered. In that case, a Man-in-the-Middle attack can be used to intercept and copy that data. Is this something that's feasible to do on a large scale? Probably not. It's not an attack that can be done passively either, so any ISP or government involvement (as you mentioned above) should better be worth it.
Some applications however do indeed "leak" private data. They could use plain HTTP with no encryption, or "custom military-grade impenetrable encryption algorithms" (better known as "Dave's protocol"), which then allow attackers to sniff data with relative ease.
Other applications contain flaws within the application itself, which allow attackers to gather personal information, such as SQL Injection attacks or Oracle attacks. In this case, gathering the data is just a matter of time.
The exact setup will depend on the kind of leak. Sometimes setting up an attack simply isn't feasible, as the cost would exceed the expected gain. Sometimes an attacker may only be interested in one specific, high-value target (think politicians, celebrities, etc.), in which case they could go considerable lengths to exploit this vulnerability. Sometimes all they need to do is download data and store it for sale or later use.
