Hi prime
First, if the thief/assailant has both your phone and device passcode, it is pretty much game over.
* This can happen if the passcode is not long and entered in public and you are shoulder surfed. Hence, I would suggest always to use a very long and tedious alpha-numeric passcode and use FaceID/TouchID for unlock as a general use case. In case your phone gets locked, go to a toilet to enter the passcode. Yes, you need to be paranoid.
* If the assailant forces you to reveal your passcode by threatening bodily harm, gunpoijt, etc., same thing, game over (btw, give it to them).
* Given the promiment space most third pary password managers are likely to be on the home screen, the assailant could even ask you to unlock your password manager. One has to expect they will get savvy too...
So...our defense is limited to making it hard for the grab-and-run type of theft to completely upend your life.
In this regard, the ScreenTime passcode does add enough friction to give you some time to prevent total digital loss (remember in this scenario the thief does not have access to your iPhone passcode, at most an unlocked phone). In this unlocked state before the lock kicks in, ScreenTime passcode does the following:
* It prevents them by default being able to view / remove other devices from your iCloud account
* the reddit thread you mentioned is interesting, in that the thief could choose to change the screentime passcode rather than entering it.
* To do this, the thief would
* Choose change Screen time passcode
* Choose forgot passcode
* Would be prompted for appleid email (assume they know this and enter it)
* would choose forgot appleid password
* be prompted to type in the trusted phone number (I wish Apple allowed us to remove trusted phone #s, but atm you need at least one)
* Hopefully, you are using a # that is not the # on the phone, but say a Google Voice number. However, this too is just a speed bump, but not a restriction, because you probably have GV on the phone too, right? (of course, I do as well)
* Once the thief enters the correct trusted number after digging around looking for the trusted #, they then need to approve the apple id password change on another device or using a hardware security key assuming you have the latter set up (you should).
Hopefully, they don't have access to another device as well and you can rush to put the phone in Lost Mode. So in a nutshell, the reddit thread is not quite correct...you can go through the flow yourself without actually changing the password to test it out.
Its tough, given how much of our digital lives are on our phones...
If you want to add another, paranoid layer, carry two phones, ideally connected to different apple IDs. One would not have 1Password and other sensitive apps or email accounts, but it could have some cards added to apple pay to pay for things. If on a different apple id, you won't get the same iMessages, but you can add this phone to your primary # for WhatsApp. Basically, give this phone to an assailant and provide the passcode too. Hopefully they don't search you for the other phone. Your primary phone could be in your backpack while the 'disposable' one is in your hand. If you do this, you could even just leave the primary phone at home if you are out on the town.
Lots to think about...we should each think of our threat model, guess.