The before first unlocked state is considered more secure, file/disk encryption keys are in a hardware security module and services aren’t running so there is less surface for an attack . When a phone is taken for evidence, it gets plugged into power and goes in a faraday bag. This keeps the phone in an after first unlock state where the encryption keys are in memory and more services that can be attacked are running to gain access.
The before first unlocked state is considered more secure, file/disk encryption keys are in a hardware security module and services aren’t running so there is less surface for an attack . When a phone is taken for evidence, it gets plugged into power and goes in a faraday bag. This keeps the phone in an after first unlock state where the encryption keys are in memory and more services that can be attacked are running to gain access.
So hourly reboot is what you’re saying
Depending on your threat model