If I attempt to re-lock the bootloader after getting /e/ installed, I’m presented with an option to lock the bootloader at which point a factory reset will be performed. Or I can choose to not lock the bootloader and the phone will restart.
Does leaving the bootloader unlocked mean anyone who happens upon my phone will be able to get data off it or flash a new image to it, after getting into Recovery Mode, from the Bootloader?
Yes, that’s right. But as far as I know, the onlyencryped device where you can lock the bootloader after flashing any custom rom is OnePlus.
You can encrypt your phone, so no one has access to your data.
But a flashing is always available for every one who has the phone in his hands.
There are only a few devices (Pixel, Xiaomi Mi A) with the bootloader re-lock support, and very few custom ROMs allow you to do so on modern devices with Verified Boot technology.
At the same time, many people would fairly advise you not to re-lock bootloader with custom ROMs, because if something happens to the installed OS, your device will be permanently bricked, because you no longer have the opportunity to reflash it if your bootloader is locked.
That’s fairly poor advice in terms of device security. Nothing should be happening to the installed OS. And if there is tampering with the OS then the data should be inaccessible. That’s the whole point!