This makes some good points. Slightly off its main topic, can iOS or an app treat Face ID and passcode auth differently, or are they completely unified?

For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.

Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340