I was curious how this worked myself, so I set it up on a test account and added my real iCloud address as a recovery contact for the test account. I did this process on my iPad via the Apple Support App forgot password option and used my iPhone to create the recovery code. A third iPad mini was the account I was trying to reset (the test account).
Assume that your recovery contact lost their phone or other iOS device, or it was stolen. The question is, if someone broke into your recovery contacts phone, can your account be compromised.
Assume the bad actor has access to the recovery contacts phone and they want to gain access to your account since they see your information in the recovery contacts screen (they can see your iCloud address from this screen).
They start the recovery process to reset the password to your account. First thing it asks them to complete the phone number for your trusted phone numbers. Let's assume they know that since you are likely in your recovery contacts address book (the screen gives the last two digits of the trusted number). If they don't know the number, they cannot go any further.
Assume that they enter in the correct trusted phone number. Next, it asks to send a code to that number. Obviously, they are not going to do that as they don't have your actual device. They select the option that they don't have access to that device and need help from their recovery contact (since they have the recovery device in hand).
They select that they have a recovery code and enter that in from the recovery accounts device.
Next, it asks for the passcode of another iOS device on your account. Since they won't know this, it asks them to choose another device. It brings up a list of your other Apple devices, but they will not know the passcode to any of those devices either (assuming you have passcodes on your devices).
Since they don't know your passcodes, the only other recovery option is to go through Apple, and it states that this may take several days.
When I tried this via a web page (Apple ID forgot password site), it sent a prompt to the test device allowing it to change the password, so a bad actor would inadvertently let you know your account was being probed as you'd get the alert on one of your iOS devices. Even this way, if they say they don't have access to that device, if they don't ultimately know your passcode, they cannot reset your account.
I may have skipped a step in my description above, but I tried this several times, and the bottom line is, if they don't know your device passcodes, they cannot reset your account, other than to start the recovery process from Apple, and they are not going to be able to do that as Apple will require some kind of verification as well and you will certainly be alerted that something is amiss before the account is reset.
Overall, I think the likelihood of someone getting into your account via your recovery contacts device is very, very, remote.
