Unless you explicitly allow them (via a flag) in your kube-state-metrics deployment, Kubernetes labels and annotations are not translated into Prometheus labels.
kube-state-metrics doesn't specifically matter. Prometheus has built-in Kubernetes service discovery, and you can drop labels/annotations or not. Most people never see this because they take an opaque blob from a vendor (helm chart, prometheus-operator), etc. -- but it's there: https://prometheus.io/docs/prometheus/latest/configuration/c...
kube-state-metrics does its own service discovery and outputs prometheus metrics that it cares about, but any app could do that.
You’re absolutely right, though none of these transfer labels by default (neither does the example Prometheus config in the prometheus repo). Prometheus, including Prometheus operator require you to allow-list them. (I should have mentioned that I maintain the Prometheus Kubernetes SD, and am the original creator of kube-state-metrics, prometheus-operator and kube-prometheus)
kube-state-metrics does its own service discovery and outputs prometheus metrics that it cares about, but any app could do that.