Security Implications eSim without PIN

Questions
1

What are the security implications of using an eSim without a PIN in a modern phone, in particular Pixel with GrapheneOS or iPhone? Assumptions: someone has physical access to the phone (e.g. the phone is stolen), but no access to an unlocked phone/PIN code is unknown to thief. I do not assume a state-level actor in this scenario.

From my understanding, the standard Android factory reset process does not delete eSims. Therefore, a standard reset on Android would make this eSim available to the thief even without knowledge of the PIN, correct?

GrapheneOS deletes eSims for the duress PIN, but I could not figure out if the same applies for a reset of the phone (e.g. reset due to bootloader unlock). The GrapheneOS factory reset also has the option to remove or keep the eSim, but this is only after the device is unlocked. Does anyone have knowledge of whether the eSim gets deleted if the phone is reset without a PIN?

For iPhones, my understanding is that you cannot reset the phone without access to the Apple account. Is this correct? Is the eSim deleted, if the option to wipe the phone after 10 incorrect PINs is turned on?

2

You can reset the phone, but if you set up Find My, you won’t be able to activate it without the Apple account login next time you try to set it up. It’s just a theft deterrence feature so someone can’t just steal your phone and use it as theirs. They can wipe it though. All the account features happen server-side.

Not sure but when you factory reset the phone, you can choose whether to keep or delete it. I wouldn’t count on the 10 incorrect PIN erase being triggered by an attacker, they’re probably going to be smart enough not to do that and it would take so long with escalating timeouts it probably wouldn’t be worth it when they can just erase it whenever they want anyway.