N3rdTek Their website doesn't really say much about what kind of support they're offering. I'm not sure about this product specifically, but similar products have admitted that they can do (if I remember the phrase correctly) consent-based extraction. This means they need the PIN/password first. While it's unclear if that's the case here, keep that in mind when companies make big claims like this.
Of course, if any company is actually able to get into a locked AFU phone, GrapheneOS already has features that make this much harder. You can change the USB-C settings to something like "charging-only" or "charging-only when locked", or even just set to "off" for extreme cases. It's possible to use profiles and then end the session of any profile easily, putting the data back at rest. Additionally, you can use the auto reboot feature, which can be set as low as 10 minutes. Last (but definitely not least), literally everything listed in the Defending against exploitation of unknown vulnerabilities section of the website.
Also, I did a search of Graykey here and found this great post by a fellow moderator, final: https://discuss.grapheneos.org/d/4727-graykey-countermeasures/30