So what would happen if someone stole one of my phones?
1 They'd have to be quick about doing something with it, as Apple's new 'device left behind' feature in Find My will scream at me if the damn things got too far away. Or they'd have to steal both phones. And both iPads. And the Apple Watch. As soon as I detect that one or more is gone, I'd light up Find My and go looking for them... or just remote erase the things. If found, it's trivial to reimage them by plugging into a computer and downloading the last saved backup. I back up the various devices nightly. Doesn't everyone?
2 The facial recognition on one phone and one iPad are turned off. The fingerprint recognition on the others are turned off. I have 12 digit passcodes, with capital letters, common letters, and numbers. Different passcodes for each. Yes, it's a pain, but working out how to unlock the things before I remote erase them would be more of a pain for the thief. The watch is on my wrist when it's not charging at night. I'm fairly sure that I'd notice if the watch went missing.
How about trying a SIM-swap? Well, if they did, one device would drop off the net... and Find My would scream. And the attempted thief would have a problem, as my backups are to my local computers, not to iCloud. They could restore the apps, but not the various settings, including passcodes, because iCloud knows what apps I have but not anything else. Also, I have my Discover card linked to Apple's wallet thingy... and as soon as the phone drops off the net, the wallet thingy would scream. I might/might not notice Find My screaming. It's hard to miss the wallet notifying me that my Discover card is not linked anymore. I get on the non-SIM-swapped phone and yell at the telco pretty much immediately. The thief isn't going to have much time to even download the various apps before the SIM-swap is reversed, if necessary by my canceling the phone. If they somehow get the their phone to access my AppleID, I can remote erase their phone. And they'll have a problem signing in to my AppleID; first, they have to know the ID, then they have to know the 15-digit passcode, uppercase letters, lowercase letters, numbers, symbols. And then they have to get the access code for turning on a new device; Apple sends a six-digit code, all numbers, to trusted devices. Which the new device isn't, yet. They can't get on the phone easily, before I can nuke them. They can't access any of my Apple stuff, easily, before I can nuke them. They can't get to pretty much anything else, not even my Kindle books; that's a different account and a different 10-digit passcode. And if they somehow get the AppleID, I can nuke them _easily_ and with extreme prejudice. Meanwhile, I get the telco to SIM-swap back.
I don't use webmail unless I have to, and never on a phone. My email passwords are in my Keychain... but that's locked up unless my AppleID is available, and if they somehow get my AppleID on their phone I'll nuke them in under a minute. The Keychain on the iDevices allows access to certain accounts, but does not tell the user the actual passcode. They'd have to figure out which accounts to access, and fire up the Keychain, and do it before I dropped a bucket of instant sunshine on their ass. Using most email on the iDevices would demand 2FA, which they won't have, and the Keychain, which they won't have. 'Most email' includes Apple's mail, Google's mail (which I no longer use, so they are welcome to try to access than non-existent account...) Zoho's mail, and a lot more. The only email that I have that doesn't require 2FA is AT&Stupid, and as I only use the AT&Stupid email to talk to AT&Stupid, lots of luck getting anything useful out of that.
And, oh... I have iDevices on two different telcos, always have. One telco is currently T-mob, the other is currently AT&T. I used to use Sprint, before they got eaten by T-mob, and Verizon; I dumped Verizon after one encounter too many with Verizon non-support. Believe it or not, Verizon makes AT&Stupid look good. Verizon support is worse than Comcast. Let that sink in for a minute, there's something worse than a cableco! Both T-Mob and AT&Stupid require a PIN before they can do anything to the account, including making a SIM-swap. T-Mob is six or more digits, AT&Stupid is four. I picked my PINs to be hard to guess. And not to be the minimum, except with AT&Stupid because they max out at 4. They're _stupid_. But they're not as customer-hostile as Verizon.