OK, I just spent a bunch of time testing this carefully, and while it may be better, it’s not fixed.
Let’s assuming the thief has your iPhone and your passcode, but you’ve turned on a Screen Time passcode and locked account changes but not set a recovery key. The thief can find your email address and phone number from email and Settings > Phone.
Then, if they work through the steps to turn off the Screen Time passcode, saying Forgot Passcode when prompted, entering your email address when prompted, and then tapping Forgot Apple ID or Password, they’ll be able to reset the Apple ID password using just the passcode and turn off the Screen Time password in the same step.
The confusion, I think, is that there’s a branch in the logic at one point, and if they follow the other branch, they’ll be prompted for your trusted phone number or recovery key. The problem occurs at the Screen Time Passcode Recovery screen:
-
If they enter your email address in the Apple ID field here, tap OK, and then get the password field, they can then tap Forgot Apple ID or Password and continue with the passcode to reset the password. In other words, the most obvious approach is the least secure.
-
If, instead of entering your email address right away, they tap Forgot Apple ID or Password first, and then enter the email address, they’ll go into the more secure password reset flow that tells them to continue on your other Apple devices. If they say they can’t get to them, they’ll be asked for your trusted phone number, which they can find out easily. But that doesn’t end up working out, at least in my testing.
When I entered that, I was prompted for the passcode again, but entering it threw me to the Don’t Know Your Passcode screen that was warning my account would be locked for several days. At that point, I bailed—who knows what would happen if I locked my account like this. But I very much got the sense that a thief wouldn’t be able to change the password that way.
I’m being a little waffly here because I only tested a few times—I was just too leery of locking my account or messing something else up entirely. But I’ll report this to Apple and see if anything comes back.
All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.