So a new thing I’ve heard about a few times in the past few weeks is someone getting mugged for their iPhone, and the thief demands their passcode. With just a passcode, you can change the password for an iCloud account (Settings -> iCloud), thus locking out the owner (possibly permanently) and getting (and keeping the owner from getting) all iCloud data.
A possible workaround until Apple does the bare minimum and requires the existing iCloud password before changing it (or in case they never do this), is to disallow account changes via Screen Time.