Guess I am very late with my reply, only saw the thread now and didn't go through all messages. The phone was robbed, not stolen - I don't say this to nitpick. When filing a police report and all that it makes a big difference, if you call the cops to report a robbery they will usually send someone immediately and try to locate the criminals. Whereas theft is treated with low priority. I was robbed before and there was a bit of confusion until the officer realized that I had a description of the guys and they were likely still walking around on foot.
Maybe less relevant in a crowded tourist spot, I am sure these are professionals doing this every day wheras my robbery was of opportunistic nature and uncoordinated.
Your assumption that the criminals kept the phone unlocked and went through everything is most likely correct. Nowadays even the most stupid criminals have caught on that locked Apple devices are pretty useless and don't sell well anymore. There is a good chance they robbed you just for the info stored for further phishing/extortion ("we have all your data, pay us or else!") schemes where they might make many thousands. The phone itself is worthless in comparison.
The message you received indicates the phone was indeed erased later, there is no confirmation afterwards as the phone will at that point remain locked with all functionality disabled except entering your Apple password to unlock it.
I strongly suggest you change your Apple ID password just in case, but not just that one:
Was it possible to access your e-mail account directly via the Mail app or were you perhaps logged into the account in Safari? They could have received and sent e-mails, possibly to reset other accounts where you can reset passwords via e-mail.
If you can restore ("permanently") deleted e-mails with your e-mail provider, you should do that and see what comes up, and contact your e-mail provider's helpdesk as well and ask them if they can see any further deleted e-mails. This can help you determine if the criminals did attempt anything via e-mail.
You should use this as an oppertunity to change the password on all your accounts, and possibly use a password manager. You could use the Apple default keychain for storing passwords as that would be locked by FaceID and your iPhone's passcode - but if someone spies your passcode, that's an issue. You can use a third party manager instead that has its own separate code.
It is good you now enabled screentime protections for account changes, since they did not know your passcode they couldn't do anything about your Apple ID password anyways, but in case someone does find out your passcode it's good protection for the time it takes you to remotely lock and wipe the device.
I only have the phone exposed if it appears safe to do so, hold my phone even when it’s in my pocket and have an immediate plan to execute if phone is stolen.
You might want to account for being in distress in case you were held at knifepoint etc., at that moment you might not be able to recall something like an Apple ID password from memory even if you know it by heart right now.
I'm trying to figure out if Apple's iCloud Two-Factor Authentication which sends a six-digit code to your other logged in devices would prevent your iCloud account from getting hijacked.
It does not as your iCloud logged-in Apple device is already implicitely trusted and can make any and all iCloud changes. It can also be used to confirm 2FA. So if anyone gains access to one of your Apple devices and knows the passcode that's game over. Apple's threat model unfortunately does not account for that at all. I consider that a grave oversight especially since criminals have successfully taken over accounts like that already, so it's by no means theoretical-only. You should lock down account changes in screentime and set a code that is different from your passcode, but that is only a short-term solution for the time it takes you to remotely lock that stolen device.
