Summarizing, there seem to be multiple (at least two) levels of protection.
First, and major, protection is when the device is off, or at the lock screen. All data should be 100% safe at this point. (Occasionally we do hear about phones getting broken into, e.g. by the police. This makes me doubt the 100% safety.)
Second, when the phone is unlocked and you temporarily give it to someone else, e.g. a friend to make a phonecall, or view some pictures. In this case I would still want an additional layer of protection for certain sensitive data.
Yes, I know, I should make a guest account for this and switch to the guest account before handing out the phone, but this is tedious and you can be sure you forget to make the things that you want to share available to guests…
And we must keep in mind that beneath all apps is a support layer (Google Services) that is capable of doing literally anything. It has all access to everything. A malicious app running under a guest account could gain access to sensitive data using the Google Services – we just do not know and hence we can not be sure.
For this reason, procedures to root a device usually include disabling the storage encrypion.