Kerfluffle You should always assume in a compromise that they will get a full filesystem extraction. They consist of files, SMS, call logs, application data and inaccessible files (hidden ones, OS data, databases and logs). Some situations have also allowed a dump of the RAM which can be used to access application data or worse, although with hardened malloc zeroing kernel and slab memory on free makes far less to be desired in RAM.
In strict extenuating circumstances, a forensics lab may choose to physically navigate through your phone themselves if there is a suspicion to believe this must be done. Cellebrite sell cameras designed to capture the screen in situations like this.
If USB blocking is enabled then in practice it should not have access. However, it is a lot more nuanced, MSAB was known to target stock OS Pixels via a boot firmware exploit to dump the RAM and brute force credentials from sensitive data stored there. USB unblocking wouldn't matter if they find a way to get the credentials since it can just be turned off once they get them. MSAB claimed full file system in consent (user surrendering passcode) situations when discussing GrapheneOS specifically, while GrayKey claims they have support but without any details of capability. It is unclear why GrapheneOS extraction capabilities differed.
The exploit MSAB used was reported to Google by GrapheneOS and has been treated as a High vulnerability to them very recently. They would have to get in a different way for AFU (and most likely stock) Pixels when the fix happens. GrapheneOS have also worked on additional countermeasures like making warm reboots (that don't erase RAM) unused among other suggestions.
If someone was using GrapheneOS they'd likely target the person rather than the phone, monitoring to see if they can figure out what the credentials are via surveillance. If they seize the phone they also have all the time to wait for a vulnerability since the phone won't update when in someone else's hands. GrapheneOS cannot protect this.
Digital forensics companies are hush-hush, they won't talk and all you can do is make speculations and assumptions based on what they talk online. They either say nothing or keep it vague. MSAB provided the most details and it was quite literally a single phrase in a change log plus a YouTube video they tried to delete.
GrapheneOS provides a fair amount of security enhancements and behavioural suggestions that deter extraction already, such as using user profiles, supporting longer passwords, having a low auto reboot time and more. If you genuinely feel like you're being targeted for anything then erase the user profiles, turn off your phone or reset it. There is little to no data actually worth taking the risk of keeping if you think someone is after you because of said data. A user simply choosing to let them in is nothing the OS could do.