Getting to a browser isn’t really a security vulnerability; many devices will even have a “guest” mode that provides direct access to the internet.

Getting to a browser is an open gate. Why leave the gate open?

Letting your kid or younger relatives use up your mobile data from your locked phone might not be a vulnerability but definitely isn't the expected behavior.

If you have physical access to the device it was game over to begin with.

A similar trick must be used when resetting some old Android devices, can't set up account because date/time is wrong, can't set date/time because still on set up account screen