People here are also missing one part of the android security model. Yes, you can overwrite the system partition arbitrarily while leaving the data partition intact with an unlocked bootloader, that’s how updates work.
However, the moment you make any changes to that system partition it won’t match the developers signature and the apps on the system will throw an absolute fit. Look into building your own lineage ROM and flashing it over an official build, it’s an entire process that requires your data partition to be unlocked (ie. phone booted and pin entered) to keep your data, even without making changes.
Realistically it isn’t insecure, if you set a passcode your data is encrypted and if someone mitm attacks your rom you will immediately notice stuff breaking all over the place.
The whole bootloader locking is purely vendors trying to force you to buy new phones every few years instead of the user backporting security patches indefinitely, not any practical security for the end user.
No, because that’s not how the matching works. Stuff in your data partition, as well as app data, is signed with those keys and hashed to the device. All of those bits do that hash on their own, and they all have to match up. When you change the main system partition then it’s signature has to match with the one generated when you set up your phone initially in the data partition.
Basically you have to have access to the data partition to disable the checks or change the signature, which needs your pin/passcode/fingerprint, and if you have that you don’t even need the phone, you dump the data partition and unlock it in an emulated android environment and exfiltrate data from there as if it was the original phone.
I also want to reiterate: A locked bootloader does not stop anyone from dumping your phone, emulating it, and brute forcing it, completely bypassing any rate-limiting on password attempts. By the time a bootloader lock even comes into play you can consider your phone completely compromised.