Here's my updated list of suggested solutions from this thread and casually talking to friends.
I jot this stuff down fairly quickly while talking so expect it to be imperfect 
Solution Suggestions:
01) In order to change your iCloud password you should have to enter in the old/current password AND the device unlock passcode. Ideally, an iCloud passcode change would require: Face ID or Touch ID, current iCloud passcode, and device passcode.
02) All account critical settings on iOS and macOS should (optionally) be able to be locked behind an at least 6 digit passcode with the option to be alphanumeric and CANNOT also be the same as any currently used passcode like iCloud or device unlock. Adding Face ID and Touch ID authentication should be an option here as well.
03) There should be an option to toggle on a 24hr waiting period for an iCloud password reset to take effect.
04) Important apps like banking apps, stock market apps, email or whatever app (or folder) the user chooses, should have the option to be locked behind a passcode which must be entered before they launch. These apps and folder self-lock when the phone locks.
05) Once Advanced Data Protection is on, changing the Recovery Key or turning the Recovery Key off should require the device unlock passcode AND the iCloud passcode and probably Face ID or Touch ID as well. It should also have a waiting period as an user-settable option for 6, 12, or 24 hours.
06) Screen time passcode should not be able to be added, removed, or changed without iCloud passcode AND device passcode and probably Face ID or Touch ID as well.
07) If FaceID fails for Passwords (in Settings), require iCloud passcode AND Device passcode to unlock. Maybe have it always require some passcode.
08) Removing devices from your account through Safety Check should require iCloud passcode and device passcode and probably Face ID or Touch ID as well.
09) Apple could make a “duress” passcode an option, (or button presses) where when it’s used it locks down the phone or erases it (options set by the phone’s owner) or turns on Lockdown Mode.
10) FaceID and Touch ID should not be able to be altered without iCloud Passcode and Device Passcode.
11) Maybe a quick way to enable Lockdown Mode.
12) Apple should have an option to disable character preview on keyboard when typing passcodes. Also, an option to toggle off the last character shown in text entry box when typing passcodes.
13) There is a trusted emergency contact option available to regain access to iCloud if password is forgotten or changed. However, to change, remove, or add a trusted emergency contact, the iCloud password, device unlock passcode, and biometric ID should be required.
14) iCloud passwords should have an optional hint available in case the passcode is forgotten.
15) Apple should add the ability to require an app to be unlocked with a pin or biometric ID in that app’s settings via a toggle. For example in an app’s settings “Require Face ID or Touch ID to open.”
16) Any account change should have the option to lock it behind a physical MFA device like a yubikey.
17) Another suggestion is to make changing your iCloud password require 2 device authentication. But this will not work for those that only own one device, obviously.
18) In the case of someone with only an iPhone and no other apple devices or home computer or laptop changing iCloud password should not send any manner of confirmation code or email to that single specific device. This is like an ATM telling you your PIN code. In this case something like security questions (that are NOT stored in Passwords) should be used. And in this case these answers would simply have to be remembered by the user as they would not be contained on the phone. Maybe they could be in a locked Note, but then that password would be on the phone also, potentially, in Passwords. The point is any verification for a person who only has an iPhone and no other computer or device should be something not retained on the phone and only kept in that person’s brain.
19) Screen Time, if set to not allow account or password changes, should prevent iCloud passcode from being changed until the Screen Time passcode is entered.
20) If a Screen Time passcode is set, it should not be allowed to be altered if the device passcode is used to reset the AppleID.
21) If one forgets their Screen Time passcode, there should not be any “Forgot AppleID passcode?” presented to recover or change it.
Concerns once passcode is known by bad actor:
01) With Find My enabled when a bad actor has control of your phone (via just the device unlock passcode, alone) and it is a trusted device, the bad actor can permanently lock you out of
ALL your other “Find My” enabled devices.
02) They can not only see where all your other Find My devices are, but if you are carrying one with you they can track and follow you to steal it and because they may already have control of ALL your devices, and the bad actor would be the only one able to use them. They can PRE-STEAL your devices even before they physically have them and lock them so that only they can use them.
03) A bad actor could possibly see where you are due to your airtags and also know that you have a laptop or desktop at home and steal it since they can see you are not at home.
