I will be going over how much data a thief has access to if they A) Steal your iPhone and B) Have ur passcode. This may apply to android.
1: The thief can access encrypted password protected note's with locks on them, after resetting (not disabling) TouchID or FaceID to their biometrics, the notes.app will not ask for note password and they can use their own face or finger to unlock it and view it. (the thief has no way of getting the password to the note if its not saved anywhere inside of the note, but they dont need it to access it after this.
2: The thief can view saved passwords in Settings.app after turning off or restting FaceID or TouchID.
3: The thief can reset/change iCloud/AppleID password with just a passcode kicking you off every device you own etc.
4: The thief can use any 3rd party apps that were biometricly tied to you, some apps will require account passwords for serious changes (like amazon.app)
Video I saw before testing: https://youtu.be/QUYODQB_2wQ
ImChimeraX t1_ja7rsrr wrote
For an end user the solution is multi factor authentication every time you want to use your phone. It already exists as an option on some privacy/security focussed Android custom builds, usually using an NFC tag, or by having to use both a PIN/password plus biometrics.
It's not very convenient so the vast majority of people wouldn't use it.
For corporately managed devices mobile device management solutions exist which can prevent the user from doing certain things, or from having access to certain things so there's more security there to protect corporate data and access to remote resources, but this isn't something most end users will have the knowledge or money to implement, and again, it's not very convenient due to the limitations.