There are vulnerabilities. Some years ago when this was a new feature I got an android phone to use for development for someone. I just generated a new google account on it and promptly forgot the new email and pass.
Time to return it: surprise, it wanted the previous account to log in after a factory reset. I ended up keeping it and paying for it.
A few months later, after a weekend of googling, I found instructions on how to bypass it by using some vulnerability in the browser invoked in the initial set up, got to a browser window with an address bar, used it to download and install some apk with an older version of some system service, and used that to bypass the lockdown.
Of course, it's probably much harder than that now. But it's doable.
There are vulnerabilities. Some years ago when this was a new feature I got an android phone to use for development for someone. I just generated a new google account on it and promptly forgot the new email and pass.
Time to return it: surprise, it wanted the previous account to log in after a factory reset. I ended up keeping it and paying for it.
A few months later, after a weekend of googling, I found instructions on how to bypass it by using some vulnerability in the browser invoked in the initial set up, got to a browser window with an address bar, used it to download and install some apk with an older version of some system service, and used that to bypass the lockdown.
Of course, it's probably much harder than that now. But it's doable.