tl;dr:"I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked. The bug just got fixed in the November 5, 2022 security update. The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain access to the user’s device."
tl;dr:Sometimes it pays to go down the rabbit hole. A story of David trying to bypass a URL validation and finding a bug in Google's common JS library.