Celebrite requires the user to have physical access to the phone.
Apple provides a way for the user to erase the phone before surrendering it, but it takes some time to execute.
The Find iPhone app allows for the user to remotely erase the phone, providing the phone is on and still connected to a network.
Apple also allows the user to set the phone for automatic erasure after 10 failed passcode attempts, which will defeat any brute force attack.
Compared to the rest of the market, Mac OS and iOS devices are damnably difficult to hack. Market prices for successful exploits reflect this. Apple exploits are orders of magnitude more costly.
HOWEVER, the Achilles heel for ALL devices using cellular communications is the Control Channel in cellular communications systems. To allow for roaming and interoperability among various vendors and systems, it is wide-open, unsecured, simple to access, and readily comprehended.
Those vulnerabilities will not permit access to your device, but they can monitor, capture, and spoof all incoming and outgoing traffic, as well as track your location.
There is nothing Apple, or any other cell phone vendor can do to close those vulnerabilities. They are the responsibility of the cellular providers, who have no real incentive to fix them.
Both GreyKey and Cellebrite recommend using their products in a Faraday cage or shielded room where no signals from outside are present, thus blocking any attempt from owners, agents, henchmen, or family to erase the device by FindMyiPhone.
Both bypass the countdown attempt erasure built-in by Apple and allow unlimited brute force attempts at guessing the passcode. The only method of preventing that break-in is to use a complex passcode that requires an amount of time that causes them to give up. A seven character alphanumeric plus symbol passcode is such a complex passcode that will take thousands, if not millions of years to try all the possible passcodes.
Actually, there is, at least for messaging. iMessage has bi-directional 256bit AES encryption which is uncrackable. The encrypted data can be intercepted, but for the interceptor, all they get is incomprehensible gobbledegook. It doesn’t help with email or voice communications.