If your phone has fingerprint unlock support, there’s usually a second chip (TPM, Secure Enclave, equivalents) that is in charge of providing the phone with its encryption key when the fingerprint lock is used. Finding a vulnerability in this chip can often be a way to get access.
Also if the phone is on and was unlocked at least once, the encryption key is in memory somewhere and is vulnerable to regular old software exploits.
(Both of the above can be prevented by shutting down the phone before the search attempt)
Finally, if there’s a vulnerability that lets you reset the number of passcode attempts (which has to be loaded in memory somewhere, meaning a bootrom or kernel exploit could be used to modify it) and your passcode isn’t super long (4-digit PIN, some 6-digit PINs, pattern lock), it’s possible to make what is effectively a password guesser and use it to break the password lock within an hour or so.
To be clear, one can and probably should restart the phone after shutting it down, just so long as one doesn't login with the correct password. It might even be useful to enter the wrong password twice to further reset any memory imprints.
AFAIK most devices wipe the key from memory after a certain for this reason. My iPhone regularly forces me to enter my passcode instead of allowing me to use FaceID.
iPhone added this feature very recently (just a few months ago, it basically just randomly restarts the phone if it is unused and not connected to a network for over 24-48 hours - phones connected to a network can be erased via iCloud). Android doesn’t have it at all.
There is a shortcut, however, on iOS to secretly put an iPhone into BFU mode - quick tapping the power button 5 times will lock the phone and erase the aforementioned in-memory keys so that it needs a password to unlock.
(EDIT: it does not actually put the iPhone into BFU mode. It just disables biometrics.)
Also if the phone is on and was unlocked at least once, the encryption key is in memory somewhere and is vulnerable to regular old software exploits.
(Both of the above can be prevented by shutting down the phone before the search attempt)
Finally, if there’s a vulnerability that lets you reset the number of passcode attempts (which has to be loaded in memory somewhere, meaning a bootrom or kernel exploit could be used to modify it) and your passcode isn’t super long (4-digit PIN, some 6-digit PINs, pattern lock), it’s possible to make what is effectively a password guesser and use it to break the password lock within an hour or so.