In order to exploit the 6-digit password across the web, the attacker needs 1) the password, 2) web access from anywhere in the world. To exploit the PIN guarding your phone, the attacker needs 1) the PIN, 2) your phone. You can't prevent the attacker from having access to the internet, but you are probably reasonably good at protecting your phone physically.

Generally, most devices don't encrypt/protect your data with that 6-digit PIN directly. They store the important secrets like device encryption keys in some kind of secure enclave/processor that does things like rate limit the PIN attempts to prevent brute-forcing. What the fingerprint or face scan is doing is just unlocking that secured data a different way.

Many phones block access after too many false PINs, if the web password has the same feature there is no difference.

If your physical device can be unlocked remotely with a 6 digit number, not much, but that's not generally the case.