Per https://www.imore.com/how-law-enforcement-uses-graykey-devices-access-locked-iphones it appears that they aren’t able to bypass your password and have to brute-force it instead. It’s unclear if they can bypass biometric auth if that’s an accepted auth method.

So, if you’re concerned about this sort of exploit, make sure to use a password with a high level of entropy and that you hold down the power and volume up buttons (or however you disable biometric auth on your device) before handing your phone to a LEO.

But the question is: Can they unlock the device when it is on BFU?