PSA: There is a loophole in the iOS 17.3 implementation of "stolen device protection" (17.4 beta seems to fix it)

Stolen device protection on iOS 17.3 will allow disabling stolen device protection (as well as resetting face/touch ID) with only the passcode after a few failed face/touch ID authentication attempts. iOS 17.4 beta, which is currently only available to developers, fixes this so you absolutely need to pass biometric authentication to change these settings. If this feature is important to you, you may want to update to 17.4.