Yes.
A couple of levels of encryption going on. You have at-rest encryption (eg. full disk encryption, unreadable when powered off). But at the app level, things start getting a bit more complex. Basically, depending on the app and what protection class they use, data could always require the device unlocked, data available after first/one unlock, or data never protected.
So, you start getting into things like the news stories re: forensic tools that can scrape data off the device by exploiting bugs in OS, jailbreaking, etc. allowing some access to get at your data. Or try breaking your PIN.
Years ago, there was a bug with "erase after 10 attempts" where if one powered off/on the device (iirc) after 9 attempts, you got 9 new attempts.
6 PIN is ok, 6 character or more would be better.
Depending on how your lock screen is configured, could be giving up personal information, temporary authorization codes/2-factor codes.
Now, rando on the streets will probably not be able to get into it, but never know who might get their hands on it after the rando.
If you lose the device, you do want to sign into appleid.apple.com to remove any Apple Pay information, possibly remove from your account (ie. not have it as a trusted device), not much more effort to go to Find My and erase device.
Heck, erase the device via Find My and you've taken care of the other stuff in one step.
As the old computer nerd saying goes, if it's accessible/usable, it's vulnerable. There are always bugs, holes, exploits.
If you want to get into the weeds re: Apple device security, a great, long read can be found
here. Link to the PDF at bottom of the page (and page 75 in the PDF is where iOS protection classes get discussed).
