That's why the detail matters. If the NHS app uses those services - which is quite likely - then the declaration is a statement that your personal data is shared with those providers. Not for them to do anything with (hence the line about not all of those firms accessing the data), but because that's how the app works. That's not sharing with those companies in a marketing kind of way, but because they provide parts of the service that the app relies on to work. And for any service that links you as a user to a database somewhere, you will find some of this going on; the only question is whether the company hosts it's own database, or buys in that hosting from someone else.
The privacy policy and Covid status privacy statement look like they are entirely consistent with each other. For completeness, you also need to have quoted the "Key things to know" section from the Covid Status Privacy:
The privacy statement you quote is then absolutely consistent with that statement. Someone holding your data is allowed to hire a company to run the system that processes that data, subject to the right safeguards being in place, and those statements are absolutely clear that this is what's happening. Amazon, Microsoft and ServiceNow all do a lot of business with government, plenty of which will require higher grade security than the app needs. The Royal Mail bit puzzles me, but if the app includes the ability to order a test kit, then your data has to be shared with Royal Mail to allow them to deliver to you.
If anything, I suspect the problem may be that the Scottish Government have been unusually transparent in what they've declared, and that things that lurk below the surface in many services have been openly and honestly declared here.
