If a phone has not had its bootloader unlocked, has not been rooted, has a finger print lock as well as a pin lock if the fingerprint lock doesn't work. How much can a thief access on the phone?
Will they be able to bypass the finger print lock? Will they be able to undelete deleted files in anyway?
What can and can they not do on a locked, unrooted, bootloader locked device? The device in question is a Oneplus 2.
They can flash stock firmware and resell it.
Without knowing the exact build number of the device, your data will not be kept after flashing. (I say this because it is possible to keep sdcard storage on some Samsung devices if you flash exact same build number, but it's a long-shot if you don't have it written down.)
They would have to spend a lot of money for professional equipment/service get your data off of it. To name some potential tools out there: reverse JTAG (privately owned, requires a specialist), government software, even Dr. Fone may be able to recover some pictures here and there, but that depends on how the flash image matches up (small chance).
IMO, there's not much to worry about as far as data. Report your IMEI stolen, then go on ebay and craigslist twice a week and see if you can find it! Search your imei # in titles and descriptions, and message sellers what their imei is, etc. You'll probably find it! Better yet, you may be able to track the loser down!
Q & A