How would they get your password?
Again, this idea they could use grey hacking tools is pretty far-fetched and remote, given the costs and hassle involved. And the time-down on 6+digits attempts, would take ages. All without ever going online, even by accident, what… like fiddling around in a faraday bag or something over all the days/weeks/months of time.
Thieves want the device for quick/easy money – despite a blocked device only being good for parts for the typical lowbrow thieves, and the few better thieves might be able to wipe and resell (as per Glen said above).
They can’t be bothered to “grey-hack” your device, given in most likelihood there are lots of flaws in doing so, and the data wouldn’t be current.
If they want card info, they’d go on the dark web, and buy them by the hundred: a million times more cost effective returns.
Put it this way, my stolen device is still on my account from Sep.2020, and no spending has appeared on any of the 7-10 cards in Apple Wallet. Despite me attempting to be spear-phished by the thieves for my Apple ID logins. That tells you a lot about (mostly opportunist) thieves.