@dangoodin It's significant, sure, but I'm skeptical of using the term "brief" when it also requires (carefully) removing the current device housing, running the attack with phished credentials against a service that wouldn't rate limit such attempts, and then replacing it with a new housing as well.

I suppose someone who might be a potential target could take some extra physical security steps to make tampering evident, like encasing it in a custom color of liquid+cured resin.