Can anyone speak to the relative safety or lack thereof using FaceID on individual apps while requiring a PIN to login to the device?

I have my phone setup this way because FaceID can be so convenient. I know it opens up more attack vectors than not using it but is it possible for a powerful actor to utilize the fact that it is enabled at all to gain access to a locked phone?