I noticed there are two types of PIN keyboards. The first one is the system PIN pad for screen unlock (with the scramble option); the other one is for user-installed apps (like banking apps, notes, messangers), which may implement biometric unlocking with an optional Use PIN. This PIN keyboard is different, as this feature relies on the keyboard app. You may also see the keyboard pop up in Settings before you edit some security features. Usually, users install third-party keyboards (like Heliboard and Gboard). We may trust them for casual usage, but I believe it poses a threat when a user-installed keyboard is used to enter a PIN. Thus, I suggest whitelisting com.android.inputmethod.latin as the only option to enter PINs and forbidding all other keyboards installed by the user.