Some issues I've seen so far:
If you have stolen device protection on, you can still access contacts without any authentication. Many people have their home addresses in their contact card.
You can still access significant locations with a PIN fallback when not in a significant location.
You can access Maps without any authentication and many people have their home and work addresses as favorites.
I am sure there are other examples, but all this to say, if a thief has your PIN, it's not that far of a stretch for them to find one of your significant locations, go there, and do their thievery.
This is still much better than what we had before, but I think it's still lacking in preventing someone from stealing your account if they have your PIN code. It does give you time to put your phone in lost mode and/or erase, but it's not foolproof IMHO.
PS, when i put a test phone in lost mode with SDP turned on, it would only unlock with face id and would not fall back to PIN code, so that is good.
EDIT: Just tested this again with my main phone in a significant location. I put my phone in lost mode, and the phone prompted for my passcode to validate face id. I put in my PIN and then it needed to validate my face ID just as stated. I didnt allow my phone to see my face and it went back to the lock screen.
So, I think the safety net if you get your phone stolen, is to put it in lost mode as quickly as possible. It cannot be unlocked without face ID even if it's in a known significant location.