I am a bit surprised that there is no explicit declaration that they don't have user's passcode.

It should be obvious, but I think it should also be stated in a way that makes it a lie if it's later discovered that left some way to access or keep the passcodes.