IOS – If you give your iPhone + Passcode to someone, what harmful things could they do to your data/privacy/security

I hope the information in the answer is used keeping ethical intent in mind, and there's no intention to misuse the information.

What harmful things can they do?

Playing devil here, I would do the following:

1. Change fingerprint/face data for use with Touch ID/Face ID. I'd remove existing fingerprints/faces and add mine. (This action could go somewhat undetected in case wherein you have multiple fingers registered. I could remove just one finger and register one of mine. This would however be caught when accessing 1st party app such as App Store, where you are asked for your Apple ID password, as discussed in point #3 below).

2. Change the passcode itself. (This could go undetected initially, until you chance upon entering the passcode, say for example after a restart).

3. If I change the Touch ID/Face ID data, I'll obviously be able to lock and unlock the iPhone freely without restrictions using either Touch ID/Face ID or Passcode.

   Having entered my own Touch ID/Face ID data will give me access to host of settings. I'd also be granted access to the whole host of 3rd party apps that were protected by Touch ID/Face ID, such as WhatsApp, Dropbox etc. (Although 1st party apps such as App Store will require you to enter your Apple ID password before enabling new fingerprint/face data). Some 3rd-party apps such as 1Password are well guarded as they will ask to authenticate via the account password before enabling newly registered fingerprint/face data.

   

4. I'd be able to send unintended messages using commonly used chat apps such as Messages/WhatsApp to contacts. I'd also delete the conversation to remove the traces.

5. Wipe data off iCloud. This will lead to irreversibly losing critical data synced to and stored on iCloud such as contacts, emails, photos, notes, documents etc.

6. Remove data stored and synced on iCloud by 3rd-party apps.

7. Uninstall apps freely which will likely cause you to lose locally stored/non-backed up data.

8. Remove other devices linked to your Apple ID via iCloud settings.

9. Change privacy settings by enabling/disabling specific apps access to location/contact data etc.

10. Simply access/copy-off private data such as contacts, notes, photos without changing anything as discussed above and thus, you never noticing it.

11. Copy data off your iPhone from apps that support File Sharing. Once simply needs to unlock iPhone, connect to a computer with iTunes installed and trust both on computer and the iPhone.

12. I'd be able to link a brand new device to your Apple ID using iOS Quick Start. If your email client app if set up on the iPhone with your Apple ID email, I'd delete the email alert that you receive when a new device is linked to your Apple ID.

13. Delete the call log from Phone app.

14. Leave app reviews and ratings on the App Store. This may be hard to notice easily.

15. Enable/tweak Family Sharing and invite myself your family. I can then access paid apps and music on my device. After doing the deed, I can also remove myself from Family Sharing or disable it, and remove the traces.

I would obviously not be able to access/change settings which require Apple ID password. This includes turning off Find My iPhone and logging out/resetting the iPhone.

What trace would be around to identify those actions?

From the user standpoint, there could be minimum to no traces to identify the actions. There's no on device mechanism to access device access logs.

Assume that the user never attempt to unlock the iPhone or apps using Touch ID/Face ID and always use the Passcode. They could still access and copy off data such as photos, contacts via unidentifiable medium such as AirDrop.

It appears that Face ID is slightly better at protecting you here compared to Touch ID, as it currently allows only one face to be registered at a time.