Android has two ways of encryption.
FBE = File Based Encryption, newer.
FDE = Full Disk Encryption, older.
FBE is only secure when the system partitions have dm-verity enforced and verity is only enforced when the bootloader is locked.
FDE is a bit more resilient with an unlocked bootloader since there is less data left unencrypted.
However in either scenario without a locked bootloader and verity it is trivial for an attacker to insert malicious code that can then run once your device is unlocked and send off your files.
If left unattended, an attacker could install bootable code that impersonates your normal startup sequence, prompting for your encryption key and booting as normal, but secretly storing or forwarding the key to the attacker.
(I believe this is an example of an evil maid attack, although that name for it is somewhat new to me.)
A locked bootloader would prevent such code from being installed, or at least refuse to run it.
I think the missing part is generating your own key inside the secure boot mechanism, and the disk encryption being tied to that. Evil maid re-unlocks it -> encrypted data is lost.
This reddit thread makes it sound like FBE isn't particularly secure once the bootloader is unlocked. I'm not an expert on this but the more I looked into security around LineageOS the more I realized losing my phone would/could be a serious issue.
