For instance on an iPhone, you can register a new face for FaceID if you know the passcode.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
You’re basically correct that apps can use a special mode where they require Face ID to be re-enrolled if anything changes about the credential store. Technically speaking it’s opt-in, but most banking apps use this mode.