UpStream An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).
That vulnerability was patched quickly. One of the best things about GrapheneOS, is they don't delay security patches.
UpStream But to be honest I don't see the sense in protecting the security tab in the settings as well.
Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings)
There are different threat models at play. It's not just about stealing the current data available.
Persistence is a very important concept in security. The PIN/Password is required for adding a new fingerprint, is for this reason. There are other things within the Security Menu (More security settings), that do not prompt for PIN/Password.
Device Admin apps and Trust Agents are two major things.
Again, it is not only about stealing the current data available.
With only a minute an attacker can... Install a malicious app, make it Device Admin, grant it special permissions and the victim/owner now has spyware on their phone.
Screen lock camera access is also under the security menu, which could be abused.
Installing certificates is a major attack vector. That one seems to be protected just by re-authing with a fingerprint.
It would be nice to have the option for additional auth factors for these sensitive settings.