I admit I still use a 6-digit passcode, but if you're actually serious about protecting your data you should be using an alphanumeric password anyway. Even ignoring the server-side stuff, that single password unlocks most of the data on your phone.
It's much easier to securely limit invalid PIN attempts on a device locally than in the cloud, though. This is the bread and butter of embedded security cores like the secure enclave or Google's Titan M.
Users shouldn't be forced to use high-entropy local passwords just because a service provider insists on reusing them for a completely different purpose.
