True, and it only applies during the period where the device is freshly booted, until the Code is entered.
While the OS/UI are running, encryption does not really make a difference, and attack vectors become things like malicious apps, or breaking ssh access if that is enabled.
The developer/devel-su password is relatively weak per default (but random which is good), but can be set properly by the user.