If someone wanted to brute force a device that is BFU, they need to exploit that secure element in addition, rather than just the phone. Very old Pixels we do not support anymore have secure element exploits as per the Cellebrite documentation.