guser39 For PINs, you can enable PIN scrambling, which makes it much harder to guess what PIN number is being entered if you are not directly behind the person entering the PIN number. Even if you are, the numbers are in a different place than a typical numpad, so it may be harder to remember.
The long alphanumeric password is better, because there are many more characters to remember, so it is much harder to obtain the password from shoulder surfing unless you get a recording of it. I still believe it is the most secure option currently, but fingerprint unlocking provides similar security guarantees for significantly increased convenience.
It's worth mentioning that, if you are vulnerable to getting your PIN stolen through shoulder surfing, you are also vulnerable to getting your device snatched while it's unlocked. You need to be aware of the people around you when unlocking your phone.
GrapheneOS plans to eventually implement fingerprint unlocking as a second factor only for first-unlock: https://github.com/GrapheneOS/os-issue-tracker/issues/28
This would be more secure and fit both threat models, but raises the unfortunate possibility of being locked out of your own phone if it is the first unlock. Fingerprint detection is not perfect, after all.