Edit: Removed initial comment, confused my iOS faults.
Keychain its current configuration is risky, given its coupled to your iPhone password which many people frequently enter in a public setting. One shoulder surf followed by a phone theft and they've unlocked everything - including your iCloud account (which you can change the password on using iPhone password only).
If I go to system settings > password on iOS, it then requires Face ID to get in. So I’m not sure what you’re talking about. Under Face ID & passcode you can also require Face ID for a password auto fill. So I don’t think any of this is correct.
Are you sure? I always have to scan Face ID, whether it's to open the "Passwords"-section in Settings or to have it automatically paste a password on a website/app. How do I access these things without additional authentication?
Keychain its current configuration is risky, given its coupled to your iPhone password which many people frequently enter in a public setting. One shoulder surf followed by a phone theft and they've unlocked everything - including your iCloud account (which you can change the password on using iPhone password only).