John Gruber:

Months ago, when I first started grocery shopping while wearing a mask, I switched my iPhone from an alphanumeric passphrase back to a 6-digit passcode for convenience. I did so thinking, basically, that even though a 6-digit passcode is less secure, anything truly dangerous like disabling Find My iPhone requires my iCloud password as well.

It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain. Try it — you can.

Go read the linked Daring Fireball post. Imagine if someone had your passcode, not just access to your unlocked phone, but the passcode itself, then had access to all the passwords in your iCloud Keychain. That is one helluva security nightmare.

Anyone disagree with this assessment? Is there a missing element here?