After First Unlock. When a device is powered on, encryption keys to decrypt data are not in use until you use the device credential for the first time. With BFU (Before First Unlock) these are at rest in the Pixel's secure element. There is a huge difference between a device not unlocked once after boot and a device that is when it comes to exploitable attack surface.

final

expatriotic

bitcoin

Cold storage without a hardware wallet

will reiterate: the exploit only worked on AFU devices, this scenario assumes device is AFU and using the profile the wallet is in.