Incorrect. You could just a different recovery image, that doesn’t ask for any pin code ( either an old Jolla one, a random android one or you just create one youself).
To a somewhat dedicated attacker, this would be just a minor inconvenience, no real obstacle…