The only feature that actually makes sense from an OpSec perspective is a duress pin that when entered replaces the Owner password as the default and simultaneously wipes a Private Space inside a secondary user profile.
Along with making the default state of the OS be the maximum number of possible profiles exist.
So that any analysis will always show the same number of extent profiles regardless of how many are actually in use.
You enter the duress pin, it wipes the Private Space inside the specified user profile, resets the Owner password to be the duress password, and resets the duress flag.
So that by the time the device is unlocked, ADB is enabled, and a forensic extraction can be carried out the secondary private space is already gone and it is forensically impossible to prove it was ever extant/active in the first place.
Now, how technically feasible this is is another question entirely.
But as things stand, the current Duress Pin feature is generally more useful as a means of wiping a fucked up eSim than it is for serious threat models. A strong passphrase, which you should be using if facing any serious risks, will already protect the data basically forever.
If you provide/use a duress pin then you will be in for more pain (legally or physically) than if you just refused to provide a password at all generally speaking.
The more realistic option that would be useful would be the ability to set a duress timer. Don't successful unlock the phone for x hours and the next time it is powered on the Duress feature is automatically triggered and the phone is wiped. That should be relatively easy to implement, wipes the phone, doesn't expose the user to more legal risk (generally speaking), and generally solves most of the problems.