We can copy the system we’re trying to crack so that we can make as many attempts as we want regardless of lockout. For example, if I have your iPhone, with about an hour of “surgery” I can read the memory and onboard storage directly, and then it becomes trivial to clone your phone into a computer system that can create 10000 copies and brute force while reloading each phone that gets locked out.

Rule 0 is physical security. If I have physical access to your raw data, be it a copy of your hard drives, or your phone in my hand, you’re already screwed. No amount of security can stop me if I have the full data and system.

People like the FBI and CIA who have the budget to clone a criminal’s devices to 100k+ instances in a data center can just let it run for a week and decrypt. And yes, we can also spoof authentication servers and other checks your device might make to see if it’s “legit”. We can brain-in-a-jar your devices and they have no way of knowing.