My 7 year old son discovered a security flaw on my phone(S9+), protected by Iris scan enabled screen lock, while exploring his way to get into my locked phone.
I have notifications enabled on my lock screen. So the following is the procedure he does.
Slide the notification(when it is available) and it exposes a settings icon. Press that. Ideally he should be prompted for the password. But most of the occassions he could manage to get into the settings(which he could minimise and go to the homescreen) and do what ever he wants. This is quite consistent.
This is surprising, I have heard stories about siblings/twins being able to break iris scan. But this is even more dangerous as any who got access to the phone can unlock it.