The secure area of the CPU contains a key that is combined with the passcode so the passcode by itself can only be tried on the actual device, which has speed and retry limits. If the data is copied off then the key is passcode + unknown number from secure area and the entire key length has to be brute forced (as if the user entered a longest, most random password possible).
So even a 4-digit passcode with wipe on too many failures is secure except to hacking the OS from the lock screen, which is pretty difficult to do. Even then the cracking has to be done on the device, so while a 4-digit code could be cracked even a 6 character alphanumeric even will take days and longer passwords are basically uncrackable.
So even a 4-digit passcode with wipe on too many failures is secure except to hacking the OS from the lock screen, which is pretty difficult to do. Even then the cracking has to be done on the device, so while a 4-digit code could be cracked even a 6 character alphanumeric even will take days and longer passwords are basically uncrackable.