how to protect smartphone data against theft?

i assume typical android has fully encrypted disk with a key stored in a header. header is encrypted using pin / pattern / fingerprint or not encrypted when there is no lock. is that correct?

when the phone is on, a thief can use the OS to access the data. pin and pattern accepting delay will be sufficient. also all the theft protection application might kick in in this scenario

but what happens when the thief turns off the phone and takes out the disk. he can run simple brute force. 4 or 6 digit pin, patter and probably a fingerprint is not a problem for the disk password bruteforce, right? are there any hardware level (NAND level?) protection mechanism? or the only thing that works would be a strong disk password?

if no, is there an option to set strong disk password and separate pin password / pattern / fingerprint for OS level protection? or is there any other way of keeping your data secure in case of a theft (android device)?